-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathjava.yml
More file actions
64 lines (64 loc) · 2.08 KB
/
java.yml
File metadata and controls
64 lines (64 loc) · 2.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Java: sources = user-manipulable input (headers, cookies, query, body, path, env, deserialization)
sources:
# Query string / URL params
- "HttpServletRequest.getParameter"
- "HttpServletRequest.getParameterValues"
- "HttpServletRequest.getQueryString"
# HTTP headers (Cookie, Authorization, X-*, Referer, User-Agent, etc.)
- "HttpServletRequest.getHeader"
- "HttpServletRequest.getHeaders"
- "HttpServletRequest.getIntHeader"
- "HttpServletRequest.getDateHeader"
# Cookies
- "HttpServletRequest.getCookies"
- "Cookie.getValue"
- "Cookie.getComment"
# Body / input stream (form, JSON, raw)
- "HttpServletRequest.getInputStream"
- "HttpServletRequest.getReader"
- "ServletRequest.getParameter*"
# Path / URL / referrer
- "HttpServletRequest.getRequestURI"
- "HttpServletRequest.getPathInfo"
- "HttpServletRequest.getContextPath"
- "HttpServletRequest.getHeader"
# Jakarta / javax (prefix covers all get* methods)
- "jakarta.servlet.http.HttpServletRequest*"
- "javax.servlet.http.HttpServletRequest*"
# Env (deploy/config can be user-influenced)
- "System.getenv"
- "java.lang.System.getenv"
# Deserialization (untrusted payloads)
- "ObjectMapper.readValue"
- "com.fasterxml.jackson.databind.ObjectMapper.readValue"
- "Gson.fromJson"
- "com.google.gson.Gson.fromJson"
sinks:
- "Statement.execute"
- "Statement.executeQuery"
- "Statement.executeUpdate"
- "java.sql.Statement*"
- "Runtime.getRuntime().exec"
- "Runtime.exec"
- "java.lang.Runtime.exec"
- "ProcessBuilder.start"
- "java.lang.ProcessBuilder.start"
- "Class.forName"
- "Method.invoke"
- "java.lang.reflect.Method.invoke"
- "Files.newInputStream"
- "Files.newOutputStream"
- "java.nio.file.Files*"
- "FileInputStream"
- "java.io.FileInputStream"
sanitizers:
- "StringEscapeUtils.escapeHtml"
- "org.apache.commons.text.StringEscapeUtils*"
- "Encode.forHtml"
- "Encode.forJavaScript"
- "Encode.forUriComponent"
- "org.owasp.encoder.Encode*"
- "ESAPI.encoder().encodeForHTML"
- "org.owasp.esapi.ESAPI.encoder*"
- "Jsoup.clean"
- "org.jsoup.Jsoup.clean"