Amazon CodeGuruDetector Library Sign in to CodeGuru

CodeGuru

Detector Library

Java detectors (129/129)

Reflected cross site scripting Improper service shutdown Mandatory method not called after object creation Unrestricted upload of dangerous file type Process empty record list in Amazon KCL Untrusted AMI images AWS object presence check Insecure SAML parser configuration Cross-site request forgery Case sensitive keys in S3 object user metadata Missing timeout check on CountDownLatch.await Unspecified default value Device Permission Usage.Deserialization of untrusted object Stack trace not included in re-thrown exception Preserve thread interruption status rule Missing check on the value returned by moveToFirst API Missing timeout check on ExecutorService.awaitTermination Region specification missing from AWS client initialization Overflow when deserializing relational database objects Custom manual retries of AWS SDK calls Insufficient number of PBEKeySpec iterations URL redirection to untrusted site Use of externally-controlled input to select classes or code Missing null check for cache response metadata Inefficient usage of Transaction library from AWS Labs Insecure connection using unencrypted protocol Missing encryption of sensitive data in storage Inefficient additional authenticated data (AAD) authenticity Ignored output of DynamoDBMapper operations Use of a deprecated method Error-prone AWS IAM policy creation Use of externally-controlled input to build connection string Inefficient Amazon S3 manual pagination Null pointer dereference Cross-site scripting Unauthenticated LDAP requests Mutually exclusive call Use of inefficient APIs Low maintainability with old Android features AWS Lambda client not reused Atomicity violation Missing check on the result of createNewFile Missing handling of specifically-thrown exceptions Sensitive data stored unencrypted due to partial encryption Weak obfuscation of web request Missing statement to record cause of InvocationTargetException Misconfigured Concurrency Inefficient polling of AWS resource Clear text credentials Unexpected re-assignment of synchronized objects Session fixation XPath injection Syntax error in file Catching and not re-throwing or logging exceptions Missing check when launching an Android activity with an implicit intent Client constructor deprecation AWS client not reused in a Lambda function Inefficient use of stream sorting Arithmetic overflow or underflow Simplifiable code Loose file permissions Long polling is not enabled in Amazon SQS Insecure temporary file or directory HTTP response splitting Manual pagination Incorrect string equality operator Input and output values become out of sync Inefficient chain of AWS API calls Server-side request forgery OS command injection Missing Authorization for address id Do not catch and throw exception Code clone Concurrency deadlock Not recommended aws credentials classes SQL injection Path traversal Missing check on method output Override of reserved variable names in a Lambda function Missing byte array length of JSON parser Usage of an API that is not recommended Missing pagination Hardcoded credentials Insecure JSON web token (JWT) parsing Not calling finalize causes skipped cleanup steps Unchecked S3 object metadata content length Untrusted data in security decision Permissive cors configuration rule Insecure cookie Resources used by an Amazon S3 TransferManager are not released Insecure cryptography Resource leak Missing timezone of SimpleDateFormat XML External Entity Bad parameters used with AWS API methods Missing position check before getting substring LDAP injection Low maintainability with low class cohesion Avoid reset exception in Amazon S3 Oversynchronization Insecure hashing Backward compatibility breaks with error message parsing Inefficient map entry iteration Missing S3 bucket owner condition AWS DynamoDB getItem output is not null checked Log injection Sensitive information leak Infinite loop Batch operations preferred over looping Synchronous publication of AWS Lambda metrics XML External Entity Document Builder Factory Improper use of classes that aren't thread-safe Incorrect null check before setting a value Object Input Stream Insecure Deserialization Weak pseudorandom number generation Insecure CORS policy Insufficient use of name in Amazon SQS queue Missing check on the value returned by ResultSet.next Insecure TLS version Missing handling of file deletion result Amazon SQS message visibility changed without a status check State machine execution ARN is not logged Client-side KMS reencryption Unsanitized input is run as code Use Stream::anyMatch instead of Stream::findFirst or Stream::findAny Use an enum to specify an AWS Region Batch request with unchecked failures Improperly formatted string arguments

Unsanitized input is run as code Critical

Running scripts generated from unsanitized inputs (for example, evaluating expressions that include user-provided strings) can lead to malicious behavior and inadvertently running code remotely.

Detector ID

java/code-injection@v1.0

Category

Common Weakness Enumeration (CWE)

Tags

# injection # owasp-top10 # top25-cwes

Noncompliant example

1public void evaluateJavaScriptNoncompliant(HttpServletRequest request) throws ScriptException {
2    final String parameter = request.getParameter("parameter");
3    ScriptEngineManager manager = new ScriptEngineManager();
4    ScriptEngine engine = manager.getEngineByName("JavaScript");
5    // Noncompliant: user-supplied parameter evaluated as a script.
6    engine.eval(parameter);
7}

Compliant example

1public void evaluateJavaScriptCompliant(HttpServletRequest request) throws ScriptException {
2    final String parameter = request.getParameter("parameter");
3    ScriptEngineManager manager = new ScriptEngineManager();
4    ScriptEngine engine = manager.getEngineByName("JavaScript");
5    // Compliant: user-supplied parameter must be in allow-list to be evaluated.
6    if (!parameter.matches("[\\w]+")) {
7        // String does not match allow-listed characters
8        throw new IllegalArgumentException();
9    }
10    engine.eval(parameter);
11}