![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
29803562eb
|
(Snyk) Fixed finding: "Improper Neutralization of CRLF Sequences in HTTP Headers" (#3424)
## Remediation
This change fixes "Improper Neutralization of CRLF Sequences in HTTP
Headers" (id = java/HttpResponseSplitting) identified by Snyk.
## Details
This change ensures that HTTP response header values can't contain
newline characters, leaving you vulnerable to HTTP response splitting
and other attacks.
If malicious users can get newline characters into an HTTP response
header, they can inject and forge new header values that look like they
came from the server, and trick web gateways, proxies, and browsers.
This leads to vulnerabilities like Cross-site Scripting (XSS), HTTP
response splitting, and more attacks from there.
Our change simply makes sure that if the string passed to be a new
response header value is non-null, all the newline characters (CR and
LF) will be removed:
```diff
+ import io.github.pixee.security.Newlines;
...
String orderId = getUserOrderId();
- response.setHeader("X-Acme-Order-ID", orderId);
+ response.setHeader("X-Acme-Order-ID", Newlines.stripAll(orderId));
```
Note: Many modern application servers will sanitize these values, but
it's almost never specified in documentation, and thus there is little
guarantee against regression. Given that, we still recommend this
practice.
<details>
<summary>More reading</summary>
*
[https://cwe.mitre.org/data/definitions/113](https://cwe.mitre.org/data/definitions/113)
*
[https://www.netsparker.com/blog/web-security/crlf-http-header/](https://www.netsparker.com/blog/web-security/crlf-http-header/)
*
[https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)
*
[https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/](https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/)
</details>
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
2025-04-26 23:25:03 +01:00 |
|
![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
3afacf2405
|
Switch order of literals to prevent NullPointerException (#2769)
This change defensively switches the order of literals in comparison
expressions to ensure that no null pointer exceptions are unexpectedly
thrown. Runtime exceptions especially can cause exceptional and
unexpected code paths to be taken, and this can result in unexpected
behavior.
Both simple vulnerabilities (like information disclosure) and complex
vulnerabilities (like business logic flaws) can take advantage of these
unexpected code paths.
Our changes look something like this:
```diff
String fieldName = header.getFieldName();
String fieldValue = header.getFieldValue();
- if(fieldName.equals("requestId")) {
+ if("requestId".equals(fieldName)) {
logRequest(fieldValue);
}
```
<details>
<summary>More reading</summary>
*
[https://cwe.mitre.org/data/definitions/476.html](https://cwe.mitre.org/data/definitions/476.html)
*
[https://en.wikibooks.org/wiki/Java_Programming/Preventing_NullPointerException](https://en.wikibooks.org/wiki/Java_Programming/Preventing_NullPointerException)
*
[https://rules.sonarsource.com/java/RSPEC-1132/](https://rules.sonarsource.com/java/RSPEC-1132/)
</details>
🧚🤖 Powered by Pixeebot
[Feedback](https://ask.pixee.ai/feedback) |
[Community](https://pixee-community.slack.com/signup#/domain-signup) |
[Docs](https://docs.pixee.ai/) | Codemod ID:
pixee:java/switch-literal-first

<!--{"type":"DRIP","codemod":"pixee:java/switch-literal-first"}-->
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
2025-01-22 10:39:47 +00:00 |
|
![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
d832a90de0
|
(CodeQL) Fixed finding: "Arbitrary file access during archive extraction ("Zip Slip")
" (#2344)
(CodeQL) Fixed finding: "Arbitrary file access during archive extraction ("Zip Slip")
"
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
2024-11-27 07:16:03 +00:00 |
|
![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
af5e2b6895
|
Modernize and secure temp file creation (#2106)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
2024-10-28 23:19:12 +00:00 |
|
![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
09c9944fc3
|
Switch order of literals to prevent NullPointerException (#2035)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
2024-10-18 07:15:10 +01:00 |
|
 ![github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>](/assets/img/avatar_default.png)  ![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
b31564968c
|
Introduced protections against system command injection (#2011)
* Introduced protections against system command injection
* Update translation files (#2034)
Signed-off-by: GitHub Action <[email protected]>
Co-authored-by: GitHub Action <[email protected]>
---------
Signed-off-by: GitHub Action <[email protected]>
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
Co-authored-by: Anthony Stirling <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: GitHub Action <[email protected]>
|
2024-10-18 00:10:42 +01:00 |
|
![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
b7d37deb85
|
Refactored to use parameterized SQL APIs (#1545)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
2024-07-09 21:18:32 +01:00 |
|
 pixeebot[bot]andGitHub
|
88338b4dbc
|
(Sonar) Fixed finding: "Utility classes should not have public constructors"
|
2024-06-07 07:52:26 +00:00 |
|
 pixeebot[bot]andGitHub
|
9147d364bc
|
(Sonar) Fixed finding: "@Override should be used on overriding and implementing methods"
|
2024-06-07 04:38:10 +00:00 |
|
 pixeebot[bot]andGitHub
|
503acc9408
|
Introduced protections against HTTP header injection / smuggling attacks
|
2024-05-07 03:44:03 +00:00 |
|
![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
5564f378e5
|
(Sonar) Fix "String#replace should be preferred to String#replaceAll" (#1056)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
2024-04-09 06:52:52 +01:00 |
|
![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
54c3bee205
|
Replaced Stream.collect(Collectors.toList()) with Stream.toList() (Sonar) (#1018)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
2024-04-03 22:41:24 +01:00 |
|
![pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>](/assets/img/avatar_default.png) 
|
1035a3be31
|
Define a constant for a literal string that is duplicated n times (Sonar) (#978)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
|
2024-03-28 17:44:10 +00:00 |
|