Trust boundary violation¶
ID: java/trust-boundary-violation
Kind: path-problem
Security severity: 8.8
Severity: error
Precision: medium
Tags:
- security
- external/cwe/cwe-501
Query suites:
- java-security-extended.qls
- java-security-and-quality.qls
Click to see the query in the CodeQL repository
A trust boundary violation occurs when a value is passed from a less trusted context to a more trusted context.
For example, a value that is generated by a less trusted source, such as a user, may be passed to a more trusted source, such as a system process. If the less trusted source is malicious, then the value may be crafted to exploit the more trusted source.
Trust boundary violations are often caused by a failure to validate input. For example, if a web application accepts a cookie from a user, then the application should validate the cookie before using it. If the cookie is not validated, then the user may be able to craft a malicious cookie that exploits the application.
Recommendation¶
To maintain a trust boundary, validate data from less trusted sources before use.
Example¶
In the first (bad) example, the server accepts a parameter from the user, then uses it to set the username without validation.
public void doGet(HttpServletRequest request, HttpServletResponse response) {
String username = request.getParameter("username");
// BAD: The input is written to the session without being sanitized.
request.getSession().setAttribute("username", username);
}
In the second (good) example, the server validates the parameter from the user, then uses it to set the username.
public void doGet(HttpServletRequest request, HttpServletResponse response) {
String username = request.getParameter("username");
if (validator.isValidInput("HTTP parameter", username, "username", 20, false)) {
// GOOD: The input is sanitized before being written to the session.
request.getSession().setAttribute("username", username);
}
}
References¶
Wikipedia: Trust boundary.
Common Weakness Enumeration: CWE-501.