Untrusted data in security decision High

Security decisions should not depend on branching that can be influenced by untrusted or client-provided data. For example, using a client-provided session ID (instead of a server-provided ID) in a conditional statement might allow an attacker to search for IDs of active sessions.

Detector ID
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1public void logSessionIdNoncompliant(HttpServletRequest request) {
2    final String sessionId = request.getRequestedSessionId();
3    // Noncompliant: user-supplied session ID is used to make a decision.
4    if (sessionId != null && sessionId.equals("ImportantSession")) {
5        System.out.println("Client-provided session ID: " + sessionId + " is important");
6    }

Compliant example

1public void logSessionIdCompliant(HttpServletRequest request) {
2    // Compliant: user-supplied session ID is not used to make decisions.
3    System.out.println("Client-provided session ID: " + request.getRequestedSessionId());