Trust boundary violation¶
ID: java/trust-boundary-violation Kind: path-problem Security severity: 8.8 Severity: error Precision: medium Tags: - security - external/cwe/cwe-501 Query suites: - java-security-extended.qls - java-security-and-quality.qls Click to see the query in the CodeQL repository
A trust boundary violation occurs when a value is passed from a less trusted context to a more trusted context.
For example, a value that is generated by a less trusted source, such as a user, may be passed to a more trusted source, such as a system process. If the less trusted source is malicious, then the value may be crafted to exploit the more trusted source.
Trust boundary violations are often caused by a failure to validate input. For example, if a web application accepts a cookie from a user, then the application should validate the cookie before using it. If the cookie is not validated, then the user may be able to craft a malicious cookie that exploits the application.
Recommendation¶
To maintain a trust boundary, validate data from less trusted sources before use.
Example¶
In the first (bad) example, the server accepts a parameter from the user, then uses it to set the username without validation.
public void doGet(HttpServletRequest request, HttpServletResponse response) { String username = request.getParameter("username"); // BAD: The input is written to the session without being sanitized. request.getSession().setAttribute("username", username); } In the second (good) example, the server validates the parameter from the user, then uses it to set the username.
public void doGet(HttpServletRequest request, HttpServletResponse response) { String username = request.getParameter("username"); if (validator.isValidInput("HTTP parameter", username, "username", 20, false)) { // GOOD: The input is sanitized before being written to the session. request.getSession().setAttribute("username", username); } } References¶
Wikipedia: Trust boundary.
Common Weakness Enumeration: CWE-501.