Diff: tools/VisualCodeGrepper-2.1.0/javafunctions.conf

Revision:

1:efe9cad8942f

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/VisualCodeGrepper-2.1.0/javafunctions.conf	Tue Mar 13 14:52:59 2018 +0300
@@ -0,0 +1,46 @@
+// Functions and/or packages known to cause issues in Java code.
+// To add new issues use the format: function name[=>][[N]][description]
+//	(where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal'))
+//
+// NB - function names are case-sensitive for this file
+//
+// OWASP unsafe functions
+sun.misc.Unsafe=>[3]This package allows direct access to memory locations, potentially resulting in C-style memory and buffer issues if not used carefully.
+
+// Resource/executable access
+openOrCreateDatabase=>This function is dangerous with user controlled parameters and in the case of mobile devices should be regarded with suspicion - sensitive data should not be stored on the device.
+getIntent=>Function returns an Intent message that has been passed to the application.  Data from Intents should be considered untrusted and be validated for length, data type, content etc.
+
+// OWASP list of file input/output functions
+openFileOutput=>Creates a local file on the device. This function is dangerous with user controlled parameters and in the case of mobile devices should be regarded with suspicion - sensitive data should not be stored on the device.
+FileInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+FilterInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+SequenceInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+ObjectInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+PipedInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+StreamTokenizer=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+getResourceAsStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+java.io.FileReader=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+java.io.FileWriter=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+java.io.RandomAccessFile=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+java.io.File=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+java.io.FileOutputStream=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename.
+
+// Web and network
+getParameterNames=>This function extracts data directly from the HTTP request. Manually check the code to ensure the data obtained is correctly validated and/or sanitised.
+getParameter =>This function extracts data directly from the HTTP request. Manually check the code to ensure the data obtained is correctly validated and/or sanitised.
+getParameterValues=>This function extracts data directly from the HTTP request. Manually check the code to ensure the data obtained is correctly validated and/or sanitised.
+getParamaterMap =>This function extracts data directly from the HTTP request. Manually check the code to ensure the data obtained is correctly validated and/or sanitised.
+
+//Randomness and entropy
+java.util.Random=>[2]This package is flawed and produces predictable values for any given seed which are easily reproducible once the starting seed is identified.
+
+// Cryptography
+xor=>The application makes use of 'xor'. Check that it is not being used for obfuscation purposes as this can be trivially reversed.
+"SHA-1"=>[3]The code appears to use the SHA-1 algorithm. This is no longer considered secure and a safe alternative should be used instead.
+"DES"=>[3]The code appears to use the DES algorithm. This is no longer considered secure and a safe alternative such as AES should be used instead.
+"MD5"=>[3]The code appears to use the MD5 algorithm. This is no longer considered secure and a safe alternative should be used instead, such as SHA-2.
+Cipher.newInstance("DES=>[3]The code appears to use the DES algorithm. This is no longer considered secure and a safe alternative such as AES should be used instead.
+Cipher.newInstance("ECB=>[3]The code appears to use ECB. This is not always secure and resident properties of the plaintext may be visible in the ciphertext. An attacker may be able to analyze patterns in order to deduce properties that the encryption is intended to hide.
+Cipher.getInstance("DES=>[3]The code appears to use the DES algorithm. This is no longer considered secure and a safe alternative such as AES should be used instead.
+Cipher.getInstance("ECB=>[3]The code appears to use ECB. This is not always secure and resident properties of the plaintext may be visible in the ciphertext. An attacker may be able to analyze patterns in order to deduce properties that the encryption is intended to hide.