Keyur Hariya
Maxim Integrated's IoT development kit
Dependencies: MAX30101 MAX30003 MAX113XX_Pixi MAX30205 max32630fthr USBDevice
tools/VisualCodeGrepper-2.1.0/javafunctions.conf@1:efe9cad8942f, 2018-03-13 (annotated)
- Committer:
- Mahir Ozturk
- Date:
- Tue Mar 13 14:52:59 2018 +0300
- Revision:
- 1:efe9cad8942f
Commit project files
Change-Id: I2188228f2a27e9a13e2407846e48b38c2596caa0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| Mahir Ozturk |
1:efe9cad8942f | 1 | // Functions and/or packages known to cause issues in Java code. |
| Mahir Ozturk |
1:efe9cad8942f | 2 | // To add new issues use the format: function name[=>][[N]][description] |
| Mahir Ozturk |
1:efe9cad8942f | 3 | // (where N is a severity rating of 1 (Critical) to 3 (Medium) (or optionally, 0 for 'normal')) |
| Mahir Ozturk |
1:efe9cad8942f | 4 | // |
| Mahir Ozturk |
1:efe9cad8942f | 5 | // NB - function names are case-sensitive for this file |
| Mahir Ozturk |
1:efe9cad8942f | 6 | // |
| Mahir Ozturk |
1:efe9cad8942f | 7 | // OWASP unsafe functions |
| Mahir Ozturk |
1:efe9cad8942f | 8 | sun.misc.Unsafe=>[3]This package allows direct access to memory locations, potentially resulting in C-style memory and buffer issues if not used carefully. |
| Mahir Ozturk |
1:efe9cad8942f | 9 | |
| Mahir Ozturk |
1:efe9cad8942f | 10 | // Resource/executable access |
| Mahir Ozturk |
1:efe9cad8942f | 11 | openOrCreateDatabase=>This function is dangerous with user controlled parameters and in the case of mobile devices should be regarded with suspicion - sensitive data should not be stored on the device. |
| Mahir Ozturk |
1:efe9cad8942f | 12 | getIntent=>Function returns an Intent message that has been passed to the application. Data from Intents should be considered untrusted and be validated for length, data type, content etc. |
| Mahir Ozturk |
1:efe9cad8942f | 13 | |
| Mahir Ozturk |
1:efe9cad8942f | 14 | // OWASP list of file input/output functions |
| Mahir Ozturk |
1:efe9cad8942f | 15 | openFileOutput=>Creates a local file on the device. This function is dangerous with user controlled parameters and in the case of mobile devices should be regarded with suspicion - sensitive data should not be stored on the device. |
| Mahir Ozturk |
1:efe9cad8942f | 16 | FileInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 17 | FilterInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 18 | SequenceInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 19 | ObjectInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 20 | PipedInputStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 21 | StreamTokenizer=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 22 | getResourceAsStream=>This function acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 23 | java.io.FileReader=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 24 | java.io.FileWriter=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 25 | java.io.RandomAccessFile=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 26 | java.io.File=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 27 | java.io.FileOutputStream=>This functionality acts as an entry point for external data and the code should be manually checked to ensure the data obtained is correctly validated and/or sanitised. Additionally, carefull checks/sanitisation should be applied in any situation where the user may be able to control or affect the filename. |
| Mahir Ozturk |
1:efe9cad8942f | 28 | |
| Mahir Ozturk |
1:efe9cad8942f | 29 | // Web and network |
| Mahir Ozturk |
1:efe9cad8942f | 30 | getParameterNames=>This function extracts data directly from the HTTP request. Manually check the code to ensure the data obtained is correctly validated and/or sanitised. |
| Mahir Ozturk |
1:efe9cad8942f | 31 | getParameter =>This function extracts data directly from the HTTP request. Manually check the code to ensure the data obtained is correctly validated and/or sanitised. |
| Mahir Ozturk |
1:efe9cad8942f | 32 | getParameterValues=>This function extracts data directly from the HTTP request. Manually check the code to ensure the data obtained is correctly validated and/or sanitised. |
| Mahir Ozturk |
1:efe9cad8942f | 33 | getParamaterMap =>This function extracts data directly from the HTTP request. Manually check the code to ensure the data obtained is correctly validated and/or sanitised. |
| Mahir Ozturk |
1:efe9cad8942f | 34 | |
| Mahir Ozturk |
1:efe9cad8942f | 35 | //Randomness and entropy |
| Mahir Ozturk |
1:efe9cad8942f | 36 | java.util.Random=>[2]This package is flawed and produces predictable values for any given seed which are easily reproducible once the starting seed is identified. |
| Mahir Ozturk |
1:efe9cad8942f | 37 | |
| Mahir Ozturk |
1:efe9cad8942f | 38 | // Cryptography |
| Mahir Ozturk |
1:efe9cad8942f | 39 | xor=>The application makes use of 'xor'. Check that it is not being used for obfuscation purposes as this can be trivially reversed. |
| Mahir Ozturk |
1:efe9cad8942f | 40 | "SHA-1"=>[3]The code appears to use the SHA-1 algorithm. This is no longer considered secure and a safe alternative should be used instead. |
| Mahir Ozturk |
1:efe9cad8942f | 41 | "DES"=>[3]The code appears to use the DES algorithm. This is no longer considered secure and a safe alternative such as AES should be used instead. |
| Mahir Ozturk |
1:efe9cad8942f | 42 | "MD5"=>[3]The code appears to use the MD5 algorithm. This is no longer considered secure and a safe alternative should be used instead, such as SHA-2. |
| Mahir Ozturk |
1:efe9cad8942f | 43 | Cipher.newInstance("DES=>[3]The code appears to use the DES algorithm. This is no longer considered secure and a safe alternative such as AES should be used instead. |
| Mahir Ozturk |
1:efe9cad8942f | 44 | Cipher.newInstance("ECB=>[3]The code appears to use ECB. This is not always secure and resident properties of the plaintext may be visible in the ciphertext. An attacker may be able to analyze patterns in order to deduce properties that the encryption is intended to hide. |
| Mahir Ozturk |
1:efe9cad8942f | 45 | Cipher.getInstance("DES=>[3]The code appears to use the DES algorithm. This is no longer considered secure and a safe alternative such as AES should be used instead. |
| Mahir Ozturk |
1:efe9cad8942f | 46 | Cipher.getInstance("ECB=>[3]The code appears to use ECB. This is not always secure and resident properties of the plaintext may be visible in the ciphertext. An attacker may be able to analyze patterns in order to deduce properties that the encryption is intended to hide. |