5 new issues in the Java analyzer
We have added 5 new issues in the Java analyzer:
JAVA-A1027 - Audit: Setting bean properties with unsanitized input may be a security risk
This issue is raised when an instance of a JavaBean property is set with a value that may be from external data.
Example
class UserDataBean { /*...*/ }
@Override
void method() {
HashMap map = new HashMap();
Map<String, String[]> params = request.getParameterMap();
UserDataBean bean = new UserDataBean();
BeanUtils.populate(bean, params); // Insecure.
}
JAVA-A1028 - Audit: Web views should not have access to files
This issue is raised when code uses the setAllowFileAccess() or setAllowContentAccess() methods in Android code with true as the argument.
Example
WebView webView = someView.findViewById(R.id.some_web_view);
webView.getSettings().setAllowFileAccess(true);
// OR
webView.getSettings().setAllowContentAccess(true);
JAVA-A1029 - Audit: Enabling JavaScript within a web view is a security risk
This issue is raised when code uses the setJavaScriptEnabled() method in Android code with true as the argument.
Example
WebView webView = someView.findViewById(R.id.some_web_view);
// Only do this if you absolutely need it!
webView.getSettings().setJavaScriptEnabled(true);
JAVA-A1030 - Audit: Biometric authentication should always be used with a cryptographic object
This issue is raised when biometric authentication is used without setting a CryptoObject value as well.
Example
biometricLoginButton.setOnClickListener(view -> {
// Not useful!
biometricPrompt.authenticate(promptInfo);
});
JAVA-S1031 - SecureRandom seeds must not be predictable
This issue is raised when a SecureRandom random number generator instance is created with a predictable seed (such as a constant value, or the current system clock value).
Example
SecureRandom notSoRandom = new SecureRandom();
notSoRandom.setSeed(3L); // This is a very predictable seed!
// This uses the SecureRandom(ByteArray seed) constructor:
notSoRandom = new SecureRandom("qwerty".getBytes());