Trust boundary violation¶
ID: java/trust-boundary-violationKind: path-problemSecurity severity: 8.8Severity: errorPrecision: mediumTags: - security - external/cwe/cwe-501Query suites: - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
A trust boundary violation occurs when a value is passed from a less trusted context to a more trusted context.
For example, a value that is generated by a less trusted source, such as a user, may be passed to a more trusted source, such as a system process. If the less trusted source is malicious, then the value may be crafted to exploit the more trusted source.
Trust boundary violations are often caused by a failure to validate input. For example, if a web application accepts a cookie from a user, then the application should validate the cookie before using it. If the cookie is not validated, then the user may be able to craft a malicious cookie that exploits the application.
Recommendation¶
To maintain a trust boundary, validate data from less trusted sources before use.
Example¶
In the first (bad) example, the server accepts a parameter from the user, then uses it to set the username without validation.
publicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse){Stringusername=request.getParameter("username");// BAD: The input is written to the session without being sanitized.request.getSession().setAttribute("username",username);}
In the second (good) example, the server validates the parameter from the user, then uses it to set the username.
publicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse){Stringusername=request.getParameter("username");if(validator.isValidInput("HTTP parameter",username,"username",20,false)){// GOOD: The input is sanitized before being written to the session.request.getSession().setAttribute("username",username);}}
References¶
Wikipedia:Trust boundary.
Common Weakness Enumeration:CWE-501.