Skip to content

Commit 3763660

Browse files
AB-xdevAB-xdev
committed
Update ruleset.xml
2 parents 66e3dc5 + 7baf8f8 commit 3763660

File tree

1 file changed

+49
-1
lines changed

1 file changed

+49
-1
lines changed

.config/pmd/java/ruleset.xml

Lines changed: 49 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -195,7 +195,55 @@
195195

196196
<rule ref="category/java/security.xml"/>
197197

198-
<rule name="VaadinNativeHTMLUnsafe"
198+
<rule name="AvoidSystemSetterCall"
199+
language="java"
200+
message="Setters of java.lang.System should not be called unless really needed"
201+
class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
202+
<description>
203+
Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior.
204+
For example, it may break when multiple Threads are setting the value.
205+
It may also overwrite user defined options or properties.
206+
207+
Try to pass the value only to the place where it's really needed and use it there accordingly.
208+
</description>
209+
<priority>3</priority>
210+
<properties>
211+
<property name="xpath">
212+
<value>
213+
<![CDATA[
214+
//MethodCall[starts-with(@MethodName,'set')]/TypeExpression[pmd-java:typeIsExactly('java.lang.System')]
215+
]]>
216+
</value>
217+
</property>
218+
</properties>
219+
</rule>
220+
221+
<rule name="JavaObjectSerializationIsUnsafe"
222+
language="java"
223+
message="Using Java Object (De-)Serialization is unsafe and has led to too many security vulnerabilities"
224+
class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
225+
<description>
226+
Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en).
227+
Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial).
228+
229+
Java Object Serialization may also fail to deserialize when the underlying classes are changed.
230+
231+
Use proven data interchange formats like JSON instead.
232+
</description>
233+
<priority>2</priority>
234+
<properties>
235+
<property name="xpath">
236+
<value>
237+
<![CDATA[
238+
//ClassDeclaration[@Interface = false()]/ClassBody/FieldDeclaration/VariableDeclarator/VariableId[@Name='serialVersionUID'] |
239+
//ConstructorCall/ClassType[pmd-java:typeIsExactly('java.io.ObjectInputStream') or pmd-java:typeIsExactly('java.io.ObjectOutputStream')]
240+
]]>
241+
</value>
242+
</property>
243+
</properties>
244+
</rule>
245+
246+
<rule name="VaadinNativeHTMLIsUnsafe"
199247
language="java"
200248
message="Unescaped native HTML is unsafe and will result in XSS vulnerabilities"
201249
class="net.sourceforge.pmd.lang.rule.xpath.XPathRule" >

0 commit comments

Comments
 (0)