AWS CloudFormation Linter

Audit: Biometric authentication should always be used with a cryptographic objectJAVA-A1030 Audit: XMLReader may be vulnerable to XXE attacksJAVA-A1060 Non-constant string passed to `execute` or `addBatch` method on an SQL statementJAVA-S0082 Audit: `DocumentBuilder` may be vulnerable to XXE attacksJAVA-A1052 Prepared statements must not be generated from dynamically created stringsJAVA-S0083 Spring password storage must use a strong hashing functionJAVA-S1018 `equals` method does not handle null valued operandsJAVA-S0110 Reference to mutable object which is returned may expose internal representation of dataJAVA-S0132 Nullable parameters should be checked for null before useJAVA-E1067 Reference to externally mutable object stored as internal stateJAVA-S0133 Servlets should not use mutable fields without synchronizationJAVA-E0128 Audit: Broadcasting intents without specifying a target package or receiver permission may be a security riskJAVA-A1023 Prepared statements must not be generated from dynamically created stringsJAVA-S1016 XMLStreamReaders must be secureJAVA-S1009 `equals` method does not handle null valued operandsJAVA-E0110 `StringBuffer`/`StringBuilder` constructors should not be passed characters as the first argumentJAVA-E1023 Cipher does not support integrity verificationJAVA-S1005 XSSRequestWrapper must not be usedJAVA-S1007 Custom hashing algorithms must not be usedJAVA-S1008 NullCipher must not be used outside of testsJAVA-S1010 Sockets must be secureJAVA-S1011 A TrustManager/HostnameVerifier that accepts all certificates is a security riskJAVA-S1002 Disabling escaping of special characters in templates is a security riskJAVA-S1025 LDAP object deserialization is a security riskJAVA-S1026 Audit: log4j version used could lead to remote code executionJAVA-A1022 Loops must terminate by some meansJAVA-S0024 LDAP connections should be authenticatedJAVA-S1020 SSLContext instances should not be constructed using "SSL"JAVA-A1059 Audit: Thread.sleep() call may be at risk of DoS attackJAVA-A1056 Spring sessions must not be retained across user loginsJAVA-S1017 Audit: MongoDB queries using operators like `$where` may be a security riskJAVA-A1054 Possible null accessJAVA-E1083 Possible null access due to exception handlingJAVA-E1084 Arguments to `Collections.nCopies()` should be in the correct orderJAVA-E1090 Unsynchronized lazy initialization of static value detectedJAVA-E1053 Avoid throwing `null`JAVA-E1097 Methods annotated as non-nullable should not return null valuesJAVA-E1095 `Hashtable/ConcurrentHashMap.contains()` checks for whether a value exists, not keysJAVA-E1098 Insecure RandomUtil implementations must not be usedJAVA-S1036 Spring component introduces unmanaged stateJAVA-S1060 Request handler method accepts persistent object as argumentJAVA-S1061 SAML comment parsing should be disabledJAVA-S1062 `getRequestSessionId` should not be usedJAVA-S1063 Audit: User input should not directly be used in network callsJAVA-A1034 Audit: Web views should not have access to filesJAVA-A1028 Audit: Enabling JavaScript within a web view is a security riskJAVA-A1029 Audit: File can be modified or read by any userJAVA-A1038 Audit: Hibernate query may be vulnerable to injection attacksJAVA-A1040 Audit: Prepared query may be susceptible to injection attacksJAVA-A1041 Audit: SQL query may be susceptible to injection attacksJAVA-A1042 Audit: `Runtime.exec()` call may be susceptible to injection attacksJAVA-A1057 Audit: Amazon SimpleDB queries should not be susceptible to injection attacksJAVA-A1058 Audit: File is set as world readable or writableJAVA-A1039 Local variable is never written toJAVA-E1064 Non-final static fields should not be publicJAVA-S1050 Loops must terminate by some meansJAVA-E1046 Thread instances should not be used to call static methods of ThreadJAVA-E1062 Private field is never initializedJAVA-E1065 NullPointerException should not be caughtJAVA-E1070 removeAll should not be used to clear a collectionJAVA-P1005 `@RequestMapping` must restrict the allowed HTTP methodsJAVA-S1065 SecureRandom seeds must not be predictableJAVA-S1031 SMTP configurations should check SSL certificates for authenticityJAVA-S1033 Paths in chained `antMatchers` invocations are not ordered by specificityJAVA-S1064 Persistent objects should not be returned from methodsJAVA-S1066 Audit: Setting bean properties with unsanitized input may be a security riskJAVA-A1027 Audit: Including request data within HTML response strings may lead to XSS attacksJAVA-A1035 JWTs should be checked for authenticity and integrityJAVA-S1048 Avoid catching assertions in testsJAVA-W1076 Invalid values for `java.time` constants will always throw a `DateTimeException`JAVA-E1099 Injected fields should not be assigned in injection constructorsJAVA-W1079 Incorrect main method signature detectedJAVA-E1105 Deprecated `HttpClient` implementations should not be usedJAVA-S1067 Iterator `next` method must throw `NoSuchElementException`JAVA-S0146 `synchronized` block is emptyJAVA-W0151 For loop appears to check one variable and increment anotherJAVA-S0214 Boolean expression LHS/RHS with bitwise OR will never be equal to a constant RHS/LHSJAVA-E1073 Random instances should be reusedJAVA-W1015 Do not synchronize on the result of `getClass()`JAVA-E1021 For loop appears to check one variable and increment anotherJAVA-E0214 Using week year (YYYY) in place of year (yyyy) may produce incorrect resultsJAVA-E1006 `@SpringBootApplication`/`@ComponentScan` annotations must not be used in the default packageJAVA-E1009 Consumed streams must not be reusedJAVA-E1019 Unsupported JDK-internal APIs should not be usedJAVA-E1030 Inefficient use of `toArray` with non-zero sized array argumentJAVA-P0335 Iterator `next` method should throw `NoSuchElementException`JAVA-W0146 Map compute methods cannot be used to create null valued entriesJAVA-W1011 Audit: Unsafe Jackson deserialization configurations should not be usedJAVA-A1024 Audit: Double checked locking is not safeJAVA-E1018 Static methods should be accessed using the class instanceJAVA-W1029 Static fields of the parent class should not be accessed through child class instancesJAVA-W1030 `equals()` method parameters should not be marked with `@NotNull` or equivalent annotationsJAVA-W1028 Basic authorization is a security riskJAVA-S1019 Sealed class/interface permitted types need not be listed if they are declared in the same fileJAVA-W1031 Boxed Boolean values should not be used in conditional expressionsJAVA-E1054 @NoAllocation annotated methods should not create new objectsJAVA-E1059 Conditions should not contain assignmentsJAVA-W1034 `ZoneId.of()` should be passed a valid timezone identifierJAVA-E1092 Iterators should not be invalidated while in scopeJAVA-E1085 `@Inject` detected on a final fieldJAVA-W1071 Detected use of the `Date` APIJAVA-W1072 `Instant` should not be passed unsupported temporal unit typesJAVA-E1094 Multiple `@Inject` constructors foundJAVA-W1074 Mutable data passed in to nonpublic field may be externally modifiableJAVA-E1086 `Class.isInstance()` should not be called on a `Class` objectJAVA-E1091 Synchronizing on a mutable reference may lead to unexpected behaviorJAVA-E1051 Public fields should not be synchronized onJAVA-E1061 `readResolve` must return `Object`JAVA-E1032 Unused private field detectedJAVA-W1025 Detected synchronization on string literalJAVA-E1081 Method can be declared staticJAVA-W1057 `TimeZone.getTimeZone` should be passed correct timezone IDsJAVA-E1093 `Iterable<Path>` is errorprone and should be replaced with `Collection<Path>`JAVA-E1096 Use of `@Nonnull`, `@CheckForNull`, or `@Nullable` detected on primitive declarationJAVA-W1063 Do not call hashCode directly on an array classJAVA-E1044 String.indexOf's arguments should not be reversedJAVA-E1089 Abstract or default method annotated with `@Inject`JAVA-W1075 `serialVersionUID` should be correctly declaredJAVA-E1042 Double assignment of variable detectedJAVA-E1063 Constructor must not be marked with nullable annotationsJAVA-W1070 Switch case without appropriate control flow breakJAVA-A1068 Redundant boolean literalJAVA-W1064 `ZoneId.of("Z")` should be replaced with `ZoneOffset.UTC`JAVA-W1085 Multiple variables declared on the same lineJAVA-C1003 Loop conditions should be true at least onceJAVA-E1045 Redundant type checkJAVA-W1021 Type names must begin with an uppercase letterJAVA-C1001 Wrong argument order in test assertionsJAVA-C1002 `Double`/`Float` comparison with `NaN` will always return `false`JAVA-E1031 Custom serialization method is declared with an incorrect signatureJAVA-E1033 Serializable class with non-serializable superclass and no default constructor detectedJAVA-E1034 Wrong argument type for Collection remove methodJAVA-E1036 Collection type is unsafely downcast to a concrete classJAVA-E1037 Annotation check will always return falseJAVA-E1039 Interface is unimplementableJAVA-E1041 Enum fields should not be mutableJAVA-E1069 The `%` operator has higher precedence than the `*` operatorJAVA-E1080 Missing enum elements in switch casesJAVA-E1082 Inefficient `OutputStream` implementationJAVA-P1002 Mutable fields should not directly be returnedJAVA-S1049 Type parameter shadows another typeJAVA-W1017 Variable is checked for `null` twiceJAVA-W1068 Zip entries should not be emptyJAVA-W1023 `toString()` may not work as expected for array typesJAVA-W1027 Classes that contain only static members should not be instantiatedJAVA-W1035 Local variables should not be assigned in return statementsJAVA-W1037 Anonymous classes should not contain unused non-overridden methodsJAVA-W1039 Overly generic exceptions should not be thrownJAVA-W1042 `instanceof` check with a known null value will always return falseJAVA-W1044 Interface only declares static final fieldsJAVA-W1059 Static field accessed before being writtenJAVA-W1060 `@Expensive`/`@WorkerThread` annotated method should not override unannotated super methodJAVA-W1061 Wrong thread for swing method invocationJAVA-W1062 Concrete collection type used in method declarationJAVA-W1065 Method returning collection/array type returns `null` insteadJAVA-W1066 Redundant cast of return valueJAVA-W1067 Primitive values don't need to be compared with `Object.equals()`JAVA-W1080 Inject annotations on abstract class constructors have no effectJAVA-W1084 Methods should not have different nullability than their super methodsJAVA-E1100 Returned `Future`s should not be ignoredJAVA-W1087 Unnecessary imports detectedJAVA-W1069 Use `assertNull`/`NotNull` instead of `assertEquals`/`notEquals` to assert nullityJAVA-W1091 `@Deprecated` should not be applied to local variables or parametersJAVA-W1082 `readResolve` should be protected for non-final classesJAVA-W1097 Use `existsById` instead of `findById` to check for the existence of an entityJAVA-W1090 `switch` statements with only 2 branches should be `if` statements insteadJAVA-W1086 @VisibleForTesting/@TestOnly annotated methods/constructors should not be used in non-test codeJAVA-A1067 `getClass` should not be used with enums whose members have custom bodiesJAVA-E1106 Avoid using deprecated `Thread` methodsJAVA-E1107 `String.substring()` call with single `0` index foundJAVA-W1077 Avoid using a single unescaped `.` as a regex patternJAVA-W1078 Synchronization performed on a concurrency primitive objectJAVA-E0321 Abstract class constructors should not be publicJAVA-W1094 Closeable values should not be injected via `@Provides` annotated methodsJAVA-E1103 CacheLoader implementation `load` method should not return `null`JAVA-E1104 `BigDecimal.equals()` may produce unintended resultsJAVA-W1083 Catch blocks should be reachableJAVA-W1092 Avoid assertions within `Runnable`sJAVA-W1096 Calls to assertion chain methods should be terminated with an assertionJAVA-E1109 `readObject` should not be synchronizedJAVA-W1093 Avoid using `ThreadGroup` methodsJAVA-E1108 Absolute paths should not be hard codedJAVA-W0406 JUnit5 test classes and methods should be package-privateJAVA-W1058 Method superfluously delegates to parent class methodJAVA-W1016 Type bound extends final typeJAVA-W1018 For loop can be converted into a foreach loopJAVA-W1089 Test files should contain testsJAVA-W1088 Attempt to close a null value detectedJAVA-S0250 Value is always nullJAVA-S0249 Maps and Sets of URLs can be performance hogsJAVA-S0057 Impossible downcast of `toArray()` result detectedJAVA-S0386 `IllegalMonitorStateException`s should not be handledJAVA-S0040 Database resource may not be closed on returnJAVA-S0326 Possible database resource leak detectedJAVA-S0327 `readLine()` result is read without a null checkJAVA-S0220 Possibly null fields should not be synchronized onJAVA-E1060 Incorrect combination of `Math.max` and `Math.min`JAVA-S0080 Stream does not appear to be closed after useJAVA-S0268 Clone method does not invoke super methodJAVA-S0048 Static initializer creates instance before all static final fields are assignedJAVA-S0267 Value is guaranteed to be accessed while null after an exception is thrownJAVA-S0266 Stream may be left unclosedJAVA-S0269 No relationship between the generic parameter of the called method and its argumentJAVA-S0421 Sequence of operations on a concurrent abstraction may not be atomicJAVA-S0447 `System.runFinalizersOnExit`/`Runtime.runFinalizersOnExit` are unsafe and must not be usedJAVA-E0061 Class extends Servlet class and uses instance variablesJAVA-S0370 Synchronization performed on a util.concurrent `Lock` objectJAVA-S0321 Overwriting a method parameter will not modify the original objectJAVA-S0352 Waiting with two locks held is likely to cause a deadlockJAVA-E0139 `wait`/`notify` called without synchronization on an objectJAVA-E0288 Cookies must not be insecureJAVA-S1003 Avoid using `equals` to compare against `null`JAVA-E0051 Incorrect combination of `Math.max` and `Math.min`JAVA-E0080 `IllegalMonitorStateException`s should not be handledJAVA-E0040 Self assignment of local variable detectedJAVA-E0291 Clone method does not invoke super methodJAVA-E0048 Finalizers must not be explicitly invokedJAVA-E0094 `readLine` result is read without a null checkJAVA-E0220 Method attempts to access a result set field with index 0JAVA-E0343 Method attempts to set a prepared statement parameter with index 0JAVA-E0344 Impossible downcast of `toArray` result detectedJAVA-E0386 Invalid regex syntax must not be usedJAVA-E0394 Iterator `hasNext` should not invoke `next`JAVA-E0409 A syntax error was foundJAVA-E1000 Bad short-circuiting null checkJAVA-E1003 Methods must not unconditionally call themselvesJAVA-E1017 Indices must not be out of boundsJAVA-E1020 `Optional` values must never be `null`JAVA-E1022 Whitespace characters must always be escapedJAVA-E1029 Maps and Sets of URLs can be performance hogsJAVA-P0057 `Pattern.compile()` should not be called in a loopJAVA-P0331 Overly permissive CORS policies are a security riskJAVA-S1000 Servlet does not sanitize path names from HTTP requestsJAVA-S1001 CBC and ECB modes are insecureJAVA-S1004 Insecure encryption algorithm detectedJAVA-S1012 RSA without padding is insecureJAVA-S1013 RSA keys must be at least 2048 bits longJAVA-S1014 Blowfish keys must be at least 128 bits longJAVA-S1015 Finalizer method should be protected, not public or privateJAVA-W0089 Insecure hash algorithm usage with passwords detectedJAVA-S1006 Database password field is emptyJAVA-S0014 Method with `Optional` return type must not return `null`JAVA-S0031 Method does not check if an argument is nullJAVA-S0109 Prepared statements should not be created within a loopJAVA-S0329 Local variable that shadows field is written to but not read fromJAVA-S0353 Class extends Servlet class and uses instance variablesJAVA-E0370 Switch blocks must not contain statement labelsJAVA-E1005 Insecure network protocols must not be usedJAVA-S1021 Nullable value stored to non-null fieldJAVA-E1071 Collections should not contain themselvesJAVA-E1076 Prepared statements should not be created within a loopJAVA-P1003 Storing an externally mutable value into a private static field may expose internal stateJAVA-S0134 Public static method returns freely modifiable array that may expose internal stateJAVA-S0131 `BigDecimal` constructed from `double` may be impreciseJAVA-S0008 Inefficient use of keySet iterator instead of entrySet iteratorJAVA-S0361 `System.exit()` should only be invoked within application entry pointsJAVA-S0060 `Thread` passed where `Runnable` expectedJAVA-S0056 `toString` invoked on a string value is uselessJAVA-S0064 `Boolean` constructor is inefficient, consider using `Boolean.valueOf` insteadJAVA-S0066 `Integer`/`Long` constructor is inefficient, use `valueOf` insteadJAVA-S0067 `Float`/`Double` constructor is inefficient, use `valueOf` insteadJAVA-S0068 Use `""` instead of `new String()` to create empty stringsJAVA-S0063 Inefficient use of `String` constructorJAVA-S0062 Increment of volatile field is not atomicJAVA-S0028 Adding elements of an entry set may fail due to reuse of `Entry` objectsJS0425 Explicit invocation of garbage collection is detrimental apart from some benchmarking use casesJAVA-S0065 Repeated conditional test on the same variable detectedJAVA-S0034 Elements accessed from volatile reference to an array are not volatileJAVA-S0027 Method may ignore exceptionsJAVA-S0052 Invocation of `equals()` on an array, which is equivalent to `==`JAVA-S0348 Use of member identifier that is a keyword in later Java versionsJAVA-S0050 Fields of immutable classes should be finalJAVA-E0055 Collections should not be added to themselvesJAVA-E1077 Array elements should match the runtime type of the arrayJAVA-E1079 String concatenation using `+` within loops is costly and should be replaced by a `StringBuffer`/`StringBuilder`JAVA-P1006 Imprecise redefinition of library constantJAVA-W1033 Empty catch clauses may hide exceptionsJAVA-E0052 Boxed primitives should not be synchronized onJAVA-E0150 `Thread.sleep()` should not be called while a lock is heldJAVA-E0410 Invoking a `Runnable` object's `run` method will perform the task in the current thread, not a new oneJAVA-E0135 Elements accessed from volatile reference to an array are not volatileJAVA-E0027 Invocation of `equals` on an array, which is equivalent to `==`JAVA-E0348 Use of identifier that is a keyword in later Java versionsJAVA-W0050 Finalizers are deprecated since Java 9JAVA-W0088 `equals` always returns `false`JAVA-W0107 Unsafe usage of `getResource`JAVA-E0029 Monitor `wait` must not be used on a `Condition`JAVA-E0078 `equals` always returns `true`JAVA-W0106 C style array declaration syntax must not be usedJAVA-C1000 Increment of volatile field is not atomicJAVA-E0028 Arguments of binary expressions must not be duplicatedJAVA-E0034 `Thread` passed where `Runnable` expectedJAVA-E0056 Use `""` instead of `new String()` to create empty stringsJAVA-P0063 `equals` method defined for enumerationJAVA-E0096 `equals` method is overloaded but not overriddenJAVA-E0098 `equals` method inherits parent class implementation instead of overriding `Object.equals`JAVA-E0099 `compareTo`/`compare` returns `Integer.MIN_VALUE`JAVA-E0112 Classes should not have the same name as any of their superclasses or implemented interfacesJAVA-E0169 Return value of `InputStream.read()` should not be ignoredJAVA-E0183 Return value of `InputStream.skip` should not be ignoredJAVA-E0184 Constructor of non-final class starts a threadJAVA-E0208 Increment/decrement performed during assignment expression to same variable will be lostJAVA-E0396 Shift amounts outside the valid range may produce unexpected resultsJAVA-E0399 Oddness check using `x % 2 == 1` will not work for negative numbersJAVA-E0405 Arguments to String.format must match the provided format stringJAVA-E1001 `toString` invoked on a string value is uselessJAVA-P0064 Jump statements must not be used within `finally` blocksJAVA-E1007 Case insensitive regex does not properly handle Unicode inputJAVA-E1010 Objects should not be compared to themselves within assertionsJAVA-E1012 Optional values must be checked before being accessedJAVA-E1013 `Iterable` objects must not return `this` in `iterator()` methodJAVA-E1015 `setUp` and `tearDown` methods must be properly annotatedJAVA-E1028 Inefficient use of `String` constructorJAVA-P0062 Explicit invocation of garbage collection is detrimental apart from some benchmarking use casesJAVA-P0065 `Boolean` constructor is inefficient, consider using `Boolean.valueOf` insteadJAVA-P0066 `Integer`/`Long` constructor is inefficient, use `valueOf` insteadJAVA-P0067 `Float`/`Double` constructor is inefficient, use `valueOf` insteadJAVA-P0068 Non-null boxed types are inefficientJAVA-P1000 Use `String.replace()` instead of `String.replaceAll()` for simple text patternsJAVA-P1001 `Thread` with empty `run` method is uselessJAVA-W0084 `BigDecimal` constructed from `double` may be impreciseJAVA-W0008 Maximum pool size of `ScheduledThreadPoolExecutor` cannot be changedJAVA-W0012 Empty catch clauses may hide exceptionsJAVA-W0052 `System.exit()` should only be invoked within application entry pointsJAVA-W0060 `equals` checks for incompatible operandJAVA-W0095 Class doesn't override `equals` from superclassJAVA-W0100 Invoking a `Runnable` object's `run` method will perform the task in the current thread, not a new oneJAVA-W0135 Possibly useful method return value is ignoredJAVA-W0243 References should not be compared with `==`/`!=`JAVA-W0280 File path does not match declared packageJAVA-W1001 Exceptions must not be thrown in finalizersJAVA-W1002 Collection and array length checks must be sensibleJAVA-W1005 Fields must not shadow other fields with the same name from super classesJAVA-W1007 JUnit test class overrides `setUp` but does not invoke `super.setUp()`JAVA-S0337 `@OverridingMethodsMustInvokeSuper` annotation in super method is ignored by overriding methodJAVA-S0001 A call has been made to an unsupported methodJAVA-S0013 `Boolean` method may return `null`JAVA-S0030 Empty zip file entries should not be createdJAVA-S0038 Empty jar file entries should not be createdJAVA-S0039 Class implements `Cloneable` but has not overridden the `clone` methodJAVA-S0046 Class defines `clone` but does not inherit from `Cloneable`JAVA-S0047 Synchronizing on a mutable reference may lead to unexpected behaviorJAVA-S0153 Synchronization on a nonfinal field is dangerous and error-proneJAVA-S0154 Value assigned is overwritten due to switch fall throughJAVA-S0197 `Random` object is used only once, then discardedJAVA-S0301 Assertion possibly occurs in a non-test threadJAVA-S0336 JUnit test class overrides `tearDown` but does not invoke `super.tearDown()`JAVA-S0338 Arrays are not equal to non-array valuesJAVA-S0347 `equals` can't be used to compare arrays of different typesJAVA-S0349 Wait/notify must not be called on a Thread objectJAVA-E1004 Overwriting a method parameter will not modify the original objectJAVA-E0352 Inefficient use of keySet iterator instead of entrySet iteratorJAVA-P0361 Malformed JavaDoc commentJAVA-D1007 `Duration.withNanos()` may not produce correct resultsJAVA-E1087 Parameter tag has no descriptionJAVA-D1005 JavaDoc tags should not be emptyJAVA-D1006 Unmatched Parameter tag foundJAVA-D1004 Getter and setter method synchronization does not matchJAVA-E1074 Thread.currentThread() should not be used to call Thread's static methodsJAVA-W1038 Non-thread-safe date/time fields should not be public and staticJAVA-E1024 Call to unsupported method detectedJAVA-E1048 Private fields which are only set to null should be removedJAVA-E1066 Random value in range 0 to 1 is coerced to integer 0JAVA-E1068 Calling String.indexOf() with a single character string is inefficientJAVA-P1004 Expensive methods should not be invoked from performance critical threadsJAVA-P1007 Object should not be passed where a generic type is expectedJAVA-W1036 Bitwise operations should not be checked for signJAVA-W1043 Negating the result of `compareTo`/`compare` may have unexpected resultsJAVA-W1048 Boxed primitives will be unboxed and coerced to a common type in ternary operationJAVA-W1055 Class overrides `compareTo()` but not `equals()`JAVA-W1056 Downcast may flip integer sign in comparator methodJAVA-E1102 Primitive value is boxed, then unboxed to perform primitive coercionJAVA-W1081 Class overrides `TestCase` but has no test methodsJAVA-S0341 Primitives do not need to be boxed for comparisonJAVA-W1050 Object appears to have been created for no reasonJAVA-S0235 Class is not an Exception/Throwable, even though it is named as suchJAVA-S0182 Private method is never calledJAVA-S0324 `Object.getClass` does not need to be invoked on an instantiated objectJAVA-W0077 Method uses the same code for two switch clausesJAVA-S0412 Useless control flow detectedJAVA-W1047 Useless unboxing of a valueJAVA-W1052 Protected fields in a final class are uselessJAVA-W0417 Format strings should use `%n` instead of `\\n`JAVA-W0379 The default case should be last within a switch blockJAVA-W1010 Private method is never calledJAVA-W0324 Method uses the same code for multiple branchesJAVA-W0411 Getter/setter names must be appropriateJAVA-E1014 Class overrides `hashCode` but not `equals`JAVA-W0117 Finalizer nulls fieldsJAVA-W0087 Empty finalizer methods should be deletedJAVA-W0090 Class is not an Exception/Throwable, even though it is named as suchJAVA-W0182 Method uses the same code for two switch clausesJAVA-W0412 Exception classes must be named appropriatelyJAVA-W1000 Methods must not be emptyJAVA-W1004 Method and field names must be dissimilarJAVA-W1006 Hashcode must be implemented along with EqualsJAVA-W0116 Float precision math may be impreciseJAVA-S0041 Class is Serializable, but doesn't define `serialVersionUID`JAVA-S0193 Case conversion may not work as expected for international characters without specifying the encodingJAVA-S0069 Serializable class with non-serializable super class having no void constructor detectedJAVA-S0192 Useless increment in return statementJAVA-S0356 Float comparison with `NaN` will always failJAVA-S0364 Method superfluously delegates to parent class methodJAVA-S0415 Floating point values should not be compared with relational operators in comparison methodsJAVA-W1032 Undocumented class foundJAVA-D1000 Undocumented constructor foundJAVA-D1002 Undocumented declaration foundJAVA-D1003 Non-static nested class foundJAVA-W1019 Local variable is assigned null value and not read afterJAVA-W1040 Needless boxing of a primitive only to call `toString`JAVA-W1049 Boxing a value is redundant if it is immediately unboxedJAVA-W1051 Undocumented method foundJAVA-D1001 Function with cyclomatic complexity higher than threshold foundJAVA-R1000

JAVA-S1025

Disabling escaping of special characters in templates is a security riskJAVA-S1025

Critical

Security

a03, cwe-79, security, sans-top-25, owasp-top-10

Automatic variable escaping should not be disabled when using template processing systems such as Mustache or FreeMarker.

When special characters (such as '<', '>', or '/') are encountered, templating engines such as JMustache can automatically replace them with equivalent escape sequences. This prevents malicious inputs from inserting executable code into the final page, leading to an XSS (Cross Site Scripting) attack.

However, character escaping is context sensitive and characters that are safe to keep unescaped outside of HTML tags may not be safe to leave alone within attributes, or vice versa. In the example below, a template engine that does not escape ':' characters has been used.

<a href="{{ myLink }}">link</a>

If myLink's value were set to a JavaScript scheme string such as javascript:alert('hack'), the resultant HTML could become the setup for an XSS attack:

<a href="javascript:alert('hack')">link</a>

This issue is reported when HTML escaping is disabled in the JMoustache and FreeMarker template engines.

Bad Practice

When using JMoustache, do not call escapeHTML() with a false value, or set the escaper to Escapers.NONE.

Mustache
    .compiler()
    .escapeHTML(false)          // Not good.
    .withEscaper(Escapers.NONE) // Not good either.
    .compile(template)
    .execute(context);

When using FreeMarker, do not call Configuration.setAutoEscapingPolicy() with DISABLE_AUTO_ESCAPING_POLICY.

Configuration config = new Configuration();
config.setAutoEscapingPolicy(Configuration.DISABLE_AUTO_ESCAPING_POLICY);

Recommended

In JMustache, auto-escaping is turned on by default; there is no need to explicitly set the behavior, but you could do so by passing true to Compiler.escapeHTML(), or by passing Escapers.HTML to Compiler.withEscaper().

Mustache
    .compiler()                 // Doing nothing is an option.
    .escapeHTML(true)           // But you can set escapeHTML to true if you want to.
    .withEscaper(Escapers.HTML) // Or set the escaper to Escapers.HTML.
    .compile(template)
    .execute(context);

FreeMarker's auto-escaping is also turned on by default for HTML; but you can force it to be on by calling setAutoEscapingPolicy() with the right arguments:

config.setAutoEscapingPolicy(Configuration.ENABLE_IF_DEFAULT_AUTO_ESCAPING_POLICY); // This is the default.
config.setAutoEscapingPolicy(Configuration.ENABLE_IF_SUPPORTED_AUTO_ESCAPING_POLICY); // This is also a viable option.

References

OWASP Top Ten (2021) - Category A03 - Injection
OWASP Cheat Sheets - XSS Prevention
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')