Skip to content

Commit 283c3b1

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
Java: minor qhelp updates
1 parent 516df3b commit 283c3b1

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.qhelp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33

44
<overview>
55
<p>When you set up a web server to receive a request from a client without any mechanism
6-
for verifying that it was intentionally sent, then it is vulnerable to a Cross Site Request
6+
for verifying that it was intentionally sent, then it is vulnerable to a Cross-Site Request
77
Forgery (CSRF) attack. An attacker can trick a client into making an unintended request
88
to the web server that will be treated as an authentic request. This can be done via a URL,
99
image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.</p>
@@ -17,21 +17,21 @@ should only perform read-only operations and should not be used for actions that
1717
state.</p>
1818

1919
<p>This query currently supports the Spring and Stapler web frameworks. Spring provides default CSRF protection
20-
for all unsafe HTTP methods. Stapler provides default CSRF protection for the <code>POST</code> method.</p>
20+
for all unsafe HTTP methods whereas Stapler provides default CSRF protection for the <code>POST</code> method.</p>
2121
</recommendation>
2222

2323
<example>
2424
<p> The following examples show Spring request handlers allowing safe HTTP request methods for state-changing actions.
2525
Since safe HTTP request methods do not have default CSRF protection in Spring, they should not be used when modifying
26-
application state. Instead use one of the unsafe HTTP methods which Spring default-protects from CSRF.</p>
26+
application state. Instead, use one of the unsafe HTTP methods which Spring default-protects from CSRF.</p>
2727

2828
<sample src="CsrfUnprotectedRequestTypeBadSpring.java" />
2929

3030
<sample src="CsrfUnprotectedRequestTypeGoodSpring.java" />
3131

3232
<p> The following examples show Stapler web methods allowing safe HTTP request methods for state-changing actions.
3333
Since safe HTTP request methods do not have default CSRF protection in Stapler, they should not be used when modifying
34-
application state. Instead use the <code>POST</code> method which Stapler default-protects from CSRF.</p>
34+
application state. Instead, use the <code>POST</code> method which Stapler default-protects from CSRF.</p>
3535

3636
<sample src="CsrfUnprotectedRequestTypeBadStapler.java" />
3737

0 commit comments

Comments
 (0)