AWS CloudFormation Linter

Audit: Biometric authentication should always be used with a cryptographic objectJAVA-A1030 Audit: XMLReader may be vulnerable to XXE attacksJAVA-A1060 Non-constant string passed to `execute` or `addBatch` method on an SQL statementJAVA-S0082 Audit: `DocumentBuilder` may be vulnerable to XXE attacksJAVA-A1052 Prepared statements must not be generated from dynamically created stringsJAVA-S0083 Spring password storage must use a strong hashing functionJAVA-S1018 `equals` method does not handle null valued operandsJAVA-S0110 Reference to mutable object which is returned may expose internal representation of dataJAVA-S0132 Nullable parameters should be checked for null before useJAVA-E1067 Reference to externally mutable object stored as internal stateJAVA-S0133 Servlets should not use mutable fields without synchronizationJAVA-E0128 Audit: Broadcasting intents without specifying a target package or receiver permission may be a security riskJAVA-A1023 Prepared statements must not be generated from dynamically created stringsJAVA-S1016 XMLStreamReaders must be secureJAVA-S1009 `equals` method does not handle null valued operandsJAVA-E0110 `StringBuffer`/`StringBuilder` constructors should not be passed characters as the first argumentJAVA-E1023 Cipher does not support integrity verificationJAVA-S1005 XSSRequestWrapper must not be usedJAVA-S1007 Custom hashing algorithms must not be usedJAVA-S1008 NullCipher must not be used outside of testsJAVA-S1010 Sockets must be secureJAVA-S1011 A TrustManager/HostnameVerifier that accepts all certificates is a security riskJAVA-S1002 Disabling escaping of special characters in templates is a security riskJAVA-S1025 LDAP object deserialization is a security riskJAVA-S1026 Audit: log4j version used could lead to remote code executionJAVA-A1022 Loops must terminate by some meansJAVA-S0024 LDAP connections should be authenticatedJAVA-S1020 SSLContext instances should not be constructed using "SSL"JAVA-A1059 Audit: Thread.sleep() call may be at risk of DoS attackJAVA-A1056 Spring sessions must not be retained across user loginsJAVA-S1017 Audit: MongoDB queries using operators like `$where` may be a security riskJAVA-A1054 Possible null accessJAVA-E1083 Possible null access due to exception handlingJAVA-E1084 Arguments to `Collections.nCopies()` should be in the correct orderJAVA-E1090 Unsynchronized lazy initialization of static value detectedJAVA-E1053 Avoid throwing `null`JAVA-E1097 Methods annotated as non-nullable should not return null valuesJAVA-E1095 `Hashtable/ConcurrentHashMap.contains()` checks for whether a value exists, not keysJAVA-E1098 Insecure RandomUtil implementations must not be usedJAVA-S1036 Spring component introduces unmanaged stateJAVA-S1060 Request handler method accepts persistent object as argumentJAVA-S1061 SAML comment parsing should be disabledJAVA-S1062 `getRequestSessionId` should not be usedJAVA-S1063 Audit: User input should not directly be used in network callsJAVA-A1034 Audit: Web views should not have access to filesJAVA-A1028 Audit: Enabling JavaScript within a web view is a security riskJAVA-A1029 Audit: File can be modified or read by any userJAVA-A1038 Audit: Hibernate query may be vulnerable to injection attacksJAVA-A1040 Audit: Prepared query may be susceptible to injection attacksJAVA-A1041 Audit: SQL query may be susceptible to injection attacksJAVA-A1042 Audit: `Runtime.exec()` call may be susceptible to injection attacksJAVA-A1057 Audit: Amazon SimpleDB queries should not be susceptible to injection attacksJAVA-A1058 Audit: File is set as world readable or writableJAVA-A1039 Local variable is never written toJAVA-E1064 Non-final static fields should not be publicJAVA-S1050 Loops must terminate by some meansJAVA-E1046 Thread instances should not be used to call static methods of ThreadJAVA-E1062 Private field is never initializedJAVA-E1065 NullPointerException should not be caughtJAVA-E1070 removeAll should not be used to clear a collectionJAVA-P1005 `@RequestMapping` must restrict the allowed HTTP methodsJAVA-S1065 SecureRandom seeds must not be predictableJAVA-S1031 SMTP configurations should check SSL certificates for authenticityJAVA-S1033 Paths in chained `antMatchers` invocations are not ordered by specificityJAVA-S1064 Persistent objects should not be returned from methodsJAVA-S1066 Audit: Setting bean properties with unsanitized input may be a security riskJAVA-A1027 Audit: Including request data within HTML response strings may lead to XSS attacksJAVA-A1035 JWTs should be checked for authenticity and integrityJAVA-S1048 Avoid catching assertions in testsJAVA-W1076 Invalid values for `java.time` constants will always throw a `DateTimeException`JAVA-E1099 Injected fields should not be assigned in injection constructorsJAVA-W1079 Incorrect main method signature detectedJAVA-E1105 Deprecated `HttpClient` implementations should not be usedJAVA-S1067 Iterator `next` method must throw `NoSuchElementException`JAVA-S0146 `synchronized` block is emptyJAVA-W0151 For loop appears to check one variable and increment anotherJAVA-S0214 Boolean expression LHS/RHS with bitwise OR will never be equal to a constant RHS/LHSJAVA-E1073 Random instances should be reusedJAVA-W1015 Do not synchronize on the result of `getClass()`JAVA-E1021 For loop appears to check one variable and increment anotherJAVA-E0214 Using week year (YYYY) in place of year (yyyy) may produce incorrect resultsJAVA-E1006 `@SpringBootApplication`/`@ComponentScan` annotations must not be used in the default packageJAVA-E1009 Consumed streams must not be reusedJAVA-E1019 Unsupported JDK-internal APIs should not be usedJAVA-E1030 Inefficient use of `toArray` with non-zero sized array argumentJAVA-P0335 Iterator `next` method should throw `NoSuchElementException`JAVA-W0146 Map compute methods cannot be used to create null valued entriesJAVA-W1011 Audit: Unsafe Jackson deserialization configurations should not be usedJAVA-A1024 Audit: Double checked locking is not safeJAVA-E1018 Static methods should be accessed using the class instanceJAVA-W1029 Static fields of the parent class should not be accessed through child class instancesJAVA-W1030 `equals()` method parameters should not be marked with `@NotNull` or equivalent annotationsJAVA-W1028 Basic authorization is a security riskJAVA-S1019 Sealed class/interface permitted types need not be listed if they are declared in the same fileJAVA-W1031 Boxed Boolean values should not be used in conditional expressionsJAVA-E1054 @NoAllocation annotated methods should not create new objectsJAVA-E1059 Conditions should not contain assignmentsJAVA-W1034 `ZoneId.of()` should be passed a valid timezone identifierJAVA-E1092 Iterators should not be invalidated while in scopeJAVA-E1085 `@Inject` detected on a final fieldJAVA-W1071 Detected use of the `Date` APIJAVA-W1072 `Instant` should not be passed unsupported temporal unit typesJAVA-E1094 Multiple `@Inject` constructors foundJAVA-W1074 Mutable data passed in to nonpublic field may be externally modifiableJAVA-E1086 `Class.isInstance()` should not be called on a `Class` objectJAVA-E1091 Synchronizing on a mutable reference may lead to unexpected behaviorJAVA-E1051 Public fields should not be synchronized onJAVA-E1061 `readResolve` must return `Object`JAVA-E1032 Unused private field detectedJAVA-W1025 Detected synchronization on string literalJAVA-E1081 Method can be declared staticJAVA-W1057 `TimeZone.getTimeZone` should be passed correct timezone IDsJAVA-E1093 `Iterable<Path>` is errorprone and should be replaced with `Collection<Path>`JAVA-E1096 Use of `@Nonnull`, `@CheckForNull`, or `@Nullable` detected on primitive declarationJAVA-W1063 Do not call hashCode directly on an array classJAVA-E1044 String.indexOf's arguments should not be reversedJAVA-E1089 Abstract or default method annotated with `@Inject`JAVA-W1075 `serialVersionUID` should be correctly declaredJAVA-E1042 Double assignment of variable detectedJAVA-E1063 Constructor must not be marked with nullable annotationsJAVA-W1070 Switch case without appropriate control flow breakJAVA-A1068 Redundant boolean literalJAVA-W1064 `ZoneId.of("Z")` should be replaced with `ZoneOffset.UTC`JAVA-W1085 Multiple variables declared on the same lineJAVA-C1003 Loop conditions should be true at least onceJAVA-E1045 Redundant type checkJAVA-W1021 Type names must begin with an uppercase letterJAVA-C1001 Wrong argument order in test assertionsJAVA-C1002 `Double`/`Float` comparison with `NaN` will always return `false`JAVA-E1031 Custom serialization method is declared with an incorrect signatureJAVA-E1033 Serializable class with non-serializable superclass and no default constructor detectedJAVA-E1034 Wrong argument type for Collection remove methodJAVA-E1036 Collection type is unsafely downcast to a concrete classJAVA-E1037 Annotation check will always return falseJAVA-E1039 Interface is unimplementableJAVA-E1041 Enum fields should not be mutableJAVA-E1069 The `%` operator has higher precedence than the `*` operatorJAVA-E1080 Missing enum elements in switch casesJAVA-E1082 Inefficient `OutputStream` implementationJAVA-P1002 Mutable fields should not directly be returnedJAVA-S1049 Type parameter shadows another typeJAVA-W1017 Variable is checked for `null` twiceJAVA-W1068 Zip entries should not be emptyJAVA-W1023 `toString()` may not work as expected for array typesJAVA-W1027 Classes that contain only static members should not be instantiatedJAVA-W1035 Local variables should not be assigned in return statementsJAVA-W1037 Anonymous classes should not contain unused non-overridden methodsJAVA-W1039 Overly generic exceptions should not be thrownJAVA-W1042 `instanceof` check with a known null value will always return falseJAVA-W1044 Interface only declares static final fieldsJAVA-W1059 Static field accessed before being writtenJAVA-W1060 `@Expensive`/`@WorkerThread` annotated method should not override unannotated super methodJAVA-W1061 Wrong thread for swing method invocationJAVA-W1062 Concrete collection type used in method declarationJAVA-W1065 Method returning collection/array type returns `null` insteadJAVA-W1066 Redundant cast of return valueJAVA-W1067 Primitive values don't need to be compared with `Object.equals()`JAVA-W1080 Inject annotations on abstract class constructors have no effectJAVA-W1084 Methods should not have different nullability than their super methodsJAVA-E1100 Returned `Future`s should not be ignoredJAVA-W1087 Unnecessary imports detectedJAVA-W1069 Use `assertNull`/`NotNull` instead of `assertEquals`/`notEquals` to assert nullityJAVA-W1091 `@Deprecated` should not be applied to local variables or parametersJAVA-W1082 `readResolve` should be protected for non-final classesJAVA-W1097 Use `existsById` instead of `findById` to check for the existence of an entityJAVA-W1090 `switch` statements with only 2 branches should be `if` statements insteadJAVA-W1086 @VisibleForTesting/@TestOnly annotated methods/constructors should not be used in non-test codeJAVA-A1067 `getClass` should not be used with enums whose members have custom bodiesJAVA-E1106 Avoid using deprecated `Thread` methodsJAVA-E1107 `String.substring()` call with single `0` index foundJAVA-W1077 Avoid using a single unescaped `.` as a regex patternJAVA-W1078 Synchronization performed on a concurrency primitive objectJAVA-E0321 Abstract class constructors should not be publicJAVA-W1094 Closeable values should not be injected via `@Provides` annotated methodsJAVA-E1103 CacheLoader implementation `load` method should not return `null`JAVA-E1104 `BigDecimal.equals()` may produce unintended resultsJAVA-W1083 Catch blocks should be reachableJAVA-W1092 Avoid assertions within `Runnable`sJAVA-W1096 Calls to assertion chain methods should be terminated with an assertionJAVA-E1109 `readObject` should not be synchronizedJAVA-W1093 Avoid using `ThreadGroup` methodsJAVA-E1108 Absolute paths should not be hard codedJAVA-W0406 JUnit5 test classes and methods should be package-privateJAVA-W1058 Method superfluously delegates to parent class methodJAVA-W1016 Type bound extends final typeJAVA-W1018 For loop can be converted into a foreach loopJAVA-W1089 Test files should contain testsJAVA-W1088 Attempt to close a null value detectedJAVA-S0250 Value is always nullJAVA-S0249 Maps and Sets of URLs can be performance hogsJAVA-S0057 Impossible downcast of `toArray()` result detectedJAVA-S0386 `IllegalMonitorStateException`s should not be handledJAVA-S0040 Database resource may not be closed on returnJAVA-S0326 Possible database resource leak detectedJAVA-S0327 `readLine()` result is read without a null checkJAVA-S0220 Possibly null fields should not be synchronized onJAVA-E1060 Incorrect combination of `Math.max` and `Math.min`JAVA-S0080 Stream does not appear to be closed after useJAVA-S0268 Clone method does not invoke super methodJAVA-S0048 Static initializer creates instance before all static final fields are assignedJAVA-S0267 Value is guaranteed to be accessed while null after an exception is thrownJAVA-S0266 Stream may be left unclosedJAVA-S0269 No relationship between the generic parameter of the called method and its argumentJAVA-S0421 Sequence of operations on a concurrent abstraction may not be atomicJAVA-S0447 `System.runFinalizersOnExit`/`Runtime.runFinalizersOnExit` are unsafe and must not be usedJAVA-E0061 Class extends Servlet class and uses instance variablesJAVA-S0370 Synchronization performed on a util.concurrent `Lock` objectJAVA-S0321 Overwriting a method parameter will not modify the original objectJAVA-S0352 Waiting with two locks held is likely to cause a deadlockJAVA-E0139 `wait`/`notify` called without synchronization on an objectJAVA-E0288 Cookies must not be insecureJAVA-S1003 Avoid using `equals` to compare against `null`JAVA-E0051 Incorrect combination of `Math.max` and `Math.min`JAVA-E0080 `IllegalMonitorStateException`s should not be handledJAVA-E0040 Self assignment of local variable detectedJAVA-E0291 Clone method does not invoke super methodJAVA-E0048 Finalizers must not be explicitly invokedJAVA-E0094 `readLine` result is read without a null checkJAVA-E0220 Method attempts to access a result set field with index 0JAVA-E0343 Method attempts to set a prepared statement parameter with index 0JAVA-E0344 Impossible downcast of `toArray` result detectedJAVA-E0386 Invalid regex syntax must not be usedJAVA-E0394 Iterator `hasNext` should not invoke `next`JAVA-E0409 A syntax error was foundJAVA-E1000 Bad short-circuiting null checkJAVA-E1003 Methods must not unconditionally call themselvesJAVA-E1017 Indices must not be out of boundsJAVA-E1020 `Optional` values must never be `null`JAVA-E1022 Whitespace characters must always be escapedJAVA-E1029 Maps and Sets of URLs can be performance hogsJAVA-P0057 `Pattern.compile()` should not be called in a loopJAVA-P0331 Overly permissive CORS policies are a security riskJAVA-S1000 Servlet does not sanitize path names from HTTP requestsJAVA-S1001 CBC and ECB modes are insecureJAVA-S1004 Insecure encryption algorithm detectedJAVA-S1012 RSA without padding is insecureJAVA-S1013 RSA keys must be at least 2048 bits longJAVA-S1014 Blowfish keys must be at least 128 bits longJAVA-S1015 Finalizer method should be protected, not public or privateJAVA-W0089 Insecure hash algorithm usage with passwords detectedJAVA-S1006 Database password field is emptyJAVA-S0014 Method with `Optional` return type must not return `null`JAVA-S0031 Method does not check if an argument is nullJAVA-S0109 Prepared statements should not be created within a loopJAVA-S0329 Local variable that shadows field is written to but not read fromJAVA-S0353 Class extends Servlet class and uses instance variablesJAVA-E0370 Switch blocks must not contain statement labelsJAVA-E1005 Insecure network protocols must not be usedJAVA-S1021 Nullable value stored to non-null fieldJAVA-E1071 Collections should not contain themselvesJAVA-E1076 Prepared statements should not be created within a loopJAVA-P1003 Storing an externally mutable value into a private static field may expose internal stateJAVA-S0134 Public static method returns freely modifiable array that may expose internal stateJAVA-S0131 `BigDecimal` constructed from `double` may be impreciseJAVA-S0008 Inefficient use of keySet iterator instead of entrySet iteratorJAVA-S0361 `System.exit()` should only be invoked within application entry pointsJAVA-S0060 `Thread` passed where `Runnable` expectedJAVA-S0056 `toString` invoked on a string value is uselessJAVA-S0064 `Boolean` constructor is inefficient, consider using `Boolean.valueOf` insteadJAVA-S0066 `Integer`/`Long` constructor is inefficient, use `valueOf` insteadJAVA-S0067 `Float`/`Double` constructor is inefficient, use `valueOf` insteadJAVA-S0068 Use `""` instead of `new String()` to create empty stringsJAVA-S0063 Inefficient use of `String` constructorJAVA-S0062 Increment of volatile field is not atomicJAVA-S0028 Adding elements of an entry set may fail due to reuse of `Entry` objectsJS0425 Explicit invocation of garbage collection is detrimental apart from some benchmarking use casesJAVA-S0065 Repeated conditional test on the same variable detectedJAVA-S0034 Elements accessed from volatile reference to an array are not volatileJAVA-S0027 Method may ignore exceptionsJAVA-S0052 Invocation of `equals()` on an array, which is equivalent to `==`JAVA-S0348 Use of member identifier that is a keyword in later Java versionsJAVA-S0050 Fields of immutable classes should be finalJAVA-E0055 Collections should not be added to themselvesJAVA-E1077 Array elements should match the runtime type of the arrayJAVA-E1079 String concatenation using `+` within loops is costly and should be replaced by a `StringBuffer`/`StringBuilder`JAVA-P1006 Imprecise redefinition of library constantJAVA-W1033 Empty catch clauses may hide exceptionsJAVA-E0052 Boxed primitives should not be synchronized onJAVA-E0150 `Thread.sleep()` should not be called while a lock is heldJAVA-E0410 Invoking a `Runnable` object's `run` method will perform the task in the current thread, not a new oneJAVA-E0135 Elements accessed from volatile reference to an array are not volatileJAVA-E0027 Invocation of `equals` on an array, which is equivalent to `==`JAVA-E0348 Use of identifier that is a keyword in later Java versionsJAVA-W0050 Finalizers are deprecated since Java 9JAVA-W0088 `equals` always returns `false`JAVA-W0107 Unsafe usage of `getResource`JAVA-E0029 Monitor `wait` must not be used on a `Condition`JAVA-E0078 `equals` always returns `true`JAVA-W0106 C style array declaration syntax must not be usedJAVA-C1000 Increment of volatile field is not atomicJAVA-E0028 Arguments of binary expressions must not be duplicatedJAVA-E0034 `Thread` passed where `Runnable` expectedJAVA-E0056 Use `""` instead of `new String()` to create empty stringsJAVA-P0063 `equals` method defined for enumerationJAVA-E0096 `equals` method is overloaded but not overriddenJAVA-E0098 `equals` method inherits parent class implementation instead of overriding `Object.equals`JAVA-E0099 `compareTo`/`compare` returns `Integer.MIN_VALUE`JAVA-E0112 Classes should not have the same name as any of their superclasses or implemented interfacesJAVA-E0169 Return value of `InputStream.read()` should not be ignoredJAVA-E0183 Return value of `InputStream.skip` should not be ignoredJAVA-E0184 Constructor of non-final class starts a threadJAVA-E0208 Increment/decrement performed during assignment expression to same variable will be lostJAVA-E0396 Shift amounts outside the valid range may produce unexpected resultsJAVA-E0399 Oddness check using `x % 2 == 1` will not work for negative numbersJAVA-E0405 Arguments to String.format must match the provided format stringJAVA-E1001 `toString` invoked on a string value is uselessJAVA-P0064 Jump statements must not be used within `finally` blocksJAVA-E1007 Case insensitive regex does not properly handle Unicode inputJAVA-E1010 Objects should not be compared to themselves within assertionsJAVA-E1012 Optional values must be checked before being accessedJAVA-E1013 `Iterable` objects must not return `this` in `iterator()` methodJAVA-E1015 `setUp` and `tearDown` methods must be properly annotatedJAVA-E1028 Inefficient use of `String` constructorJAVA-P0062 Explicit invocation of garbage collection is detrimental apart from some benchmarking use casesJAVA-P0065 `Boolean` constructor is inefficient, consider using `Boolean.valueOf` insteadJAVA-P0066 `Integer`/`Long` constructor is inefficient, use `valueOf` insteadJAVA-P0067 `Float`/`Double` constructor is inefficient, use `valueOf` insteadJAVA-P0068 Non-null boxed types are inefficientJAVA-P1000 Use `String.replace()` instead of `String.replaceAll()` for simple text patternsJAVA-P1001 `Thread` with empty `run` method is uselessJAVA-W0084 `BigDecimal` constructed from `double` may be impreciseJAVA-W0008 Maximum pool size of `ScheduledThreadPoolExecutor` cannot be changedJAVA-W0012 Empty catch clauses may hide exceptionsJAVA-W0052 `System.exit()` should only be invoked within application entry pointsJAVA-W0060 `equals` checks for incompatible operandJAVA-W0095 Class doesn't override `equals` from superclassJAVA-W0100 Invoking a `Runnable` object's `run` method will perform the task in the current thread, not a new oneJAVA-W0135 Possibly useful method return value is ignoredJAVA-W0243 References should not be compared with `==`/`!=`JAVA-W0280 File path does not match declared packageJAVA-W1001 Exceptions must not be thrown in finalizersJAVA-W1002 Collection and array length checks must be sensibleJAVA-W1005 Fields must not shadow other fields with the same name from super classesJAVA-W1007 JUnit test class overrides `setUp` but does not invoke `super.setUp()`JAVA-S0337 `@OverridingMethodsMustInvokeSuper` annotation in super method is ignored by overriding methodJAVA-S0001 A call has been made to an unsupported methodJAVA-S0013 `Boolean` method may return `null`JAVA-S0030 Empty zip file entries should not be createdJAVA-S0038 Empty jar file entries should not be createdJAVA-S0039 Class implements `Cloneable` but has not overridden the `clone` methodJAVA-S0046 Class defines `clone` but does not inherit from `Cloneable`JAVA-S0047 Synchronizing on a mutable reference may lead to unexpected behaviorJAVA-S0153 Synchronization on a nonfinal field is dangerous and error-proneJAVA-S0154 Value assigned is overwritten due to switch fall throughJAVA-S0197 `Random` object is used only once, then discardedJAVA-S0301 Assertion possibly occurs in a non-test threadJAVA-S0336 JUnit test class overrides `tearDown` but does not invoke `super.tearDown()`JAVA-S0338 Arrays are not equal to non-array valuesJAVA-S0347 `equals` can't be used to compare arrays of different typesJAVA-S0349 Wait/notify must not be called on a Thread objectJAVA-E1004 Overwriting a method parameter will not modify the original objectJAVA-E0352 Inefficient use of keySet iterator instead of entrySet iteratorJAVA-P0361 Malformed JavaDoc commentJAVA-D1007 `Duration.withNanos()` may not produce correct resultsJAVA-E1087 Parameter tag has no descriptionJAVA-D1005 JavaDoc tags should not be emptyJAVA-D1006 Unmatched Parameter tag foundJAVA-D1004 Getter and setter method synchronization does not matchJAVA-E1074 Thread.currentThread() should not be used to call Thread's static methodsJAVA-W1038 Non-thread-safe date/time fields should not be public and staticJAVA-E1024 Call to unsupported method detectedJAVA-E1048 Private fields which are only set to null should be removedJAVA-E1066 Random value in range 0 to 1 is coerced to integer 0JAVA-E1068 Calling String.indexOf() with a single character string is inefficientJAVA-P1004 Expensive methods should not be invoked from performance critical threadsJAVA-P1007 Object should not be passed where a generic type is expectedJAVA-W1036 Bitwise operations should not be checked for signJAVA-W1043 Negating the result of `compareTo`/`compare` may have unexpected resultsJAVA-W1048 Boxed primitives will be unboxed and coerced to a common type in ternary operationJAVA-W1055 Class overrides `compareTo()` but not `equals()`JAVA-W1056 Downcast may flip integer sign in comparator methodJAVA-E1102 Primitive value is boxed, then unboxed to perform primitive coercionJAVA-W1081 Class overrides `TestCase` but has no test methodsJAVA-S0341 Primitives do not need to be boxed for comparisonJAVA-W1050 Object appears to have been created for no reasonJAVA-S0235 Class is not an Exception/Throwable, even though it is named as suchJAVA-S0182 Private method is never calledJAVA-S0324 `Object.getClass` does not need to be invoked on an instantiated objectJAVA-W0077 Method uses the same code for two switch clausesJAVA-S0412 Useless control flow detectedJAVA-W1047 Useless unboxing of a valueJAVA-W1052 Protected fields in a final class are uselessJAVA-W0417 Format strings should use `%n` instead of `\\n`JAVA-W0379 The default case should be last within a switch blockJAVA-W1010 Private method is never calledJAVA-W0324 Method uses the same code for multiple branchesJAVA-W0411 Getter/setter names must be appropriateJAVA-E1014 Class overrides `hashCode` but not `equals`JAVA-W0117 Finalizer nulls fieldsJAVA-W0087 Empty finalizer methods should be deletedJAVA-W0090 Class is not an Exception/Throwable, even though it is named as suchJAVA-W0182 Method uses the same code for two switch clausesJAVA-W0412 Exception classes must be named appropriatelyJAVA-W1000 Methods must not be emptyJAVA-W1004 Method and field names must be dissimilarJAVA-W1006 Hashcode must be implemented along with EqualsJAVA-W0116 Float precision math may be impreciseJAVA-S0041 Class is Serializable, but doesn't define `serialVersionUID`JAVA-S0193 Case conversion may not work as expected for international characters without specifying the encodingJAVA-S0069 Serializable class with non-serializable super class having no void constructor detectedJAVA-S0192 Useless increment in return statementJAVA-S0356 Float comparison with `NaN` will always failJAVA-S0364 Method superfluously delegates to parent class methodJAVA-S0415 Floating point values should not be compared with relational operators in comparison methodsJAVA-W1032 Undocumented class foundJAVA-D1000 Undocumented constructor foundJAVA-D1002 Undocumented declaration foundJAVA-D1003 Non-static nested class foundJAVA-W1019 Local variable is assigned null value and not read afterJAVA-W1040 Needless boxing of a primitive only to call `toString`JAVA-W1049 Boxing a value is redundant if it is immediately unboxedJAVA-W1051 Undocumented method foundJAVA-D1001 Function with cyclomatic complexity higher than threshold foundJAVA-R1000

JAVA-S1001

Servlet does not sanitize path names from HTTP requestsJAVA-S1001

Critical

Security

a03, a01, cwe-22, cwe-732, security, cwe-23, sans-top-25, owasp-top-10

This servlet uses an HTTP request parameter to construct a path. While this action may mean to access only one directory in the server's file system, it does not properly neutralize sequences such as ".." that can resolve to a location that is outside that directory.

Consider a servlet that takes GET or POST requests in the following form:

http://example.com.br/get-files?file=report.pdf

If the servlet processes the request by simply appending the file name to a predefined path, accessing the file system through that path will be susceptible to relative path modification attacks:

Bad Practice

String BASE_PATH = "/home/users/";
String userName = ...; // From a database, possibly.
// Expands to: "/home/users/username/filename"
String filePath = BASE_PATH + userName + "/" + request.getParameter(REQUEST_PARAMETER);
// ...

REQUEST_PARAMETER can be used to access files from other usernames by using a relative path:

http://example.com.br/get-files?file=../some_other_username/filename.txt

The requested file name will be appended and interpreted as the following malicious path:

/home/users/username/../some_other_username/filename.txt

Or, canonically:

/home/users/some_other_username/filename.txt

This is a serious security risk since it allows users to steal others' information.

Recommended

There are multiple ways to resolve this. For example, efforts could be made to:

Sanitize url parameters to ensure they do not contain malicious inputs
Assign directory permissions of users in such a way that this type of attack cannot occur
Check the user id when reading data related to that id

References

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory
CWE-23 - Relative Path Traversal
CWE-732 - Incorrect Permission Assignment for Critical Resource
OWASP Top Ten (2021) - Category A01 - Broken Access Control
OWASP Top Ten (2021) - Category A03 - Injection
Spotbugs - PT_RELATIVE_PATH_TRAVERSAL