- POTENTIAL ISSUE: Potentially Unsafe Code-Public Class Not Declared as Final
The class is not declared as final as per OWASP recommendations. It is considered best practice to make classes final where possible and practical (i.e. It has no classes which inherit from it). Non-Final classes can allow an attacker to extend a class in a malicious manner. Manually inspect the code to determine whether or not it is practical to make this class final.public abstract class SSOAgentFilter implements Filter {public final abstract class SSOAgentFilter implements Filter { - HIGH: Potentially Unsafe Code – Poor Input Validation
The application appears to use data contained in the HttpServletRequest without validation or sanitisation. No validator plug-ins were located in the application’s XML files.Cookie[] cookies = request.getCookies();這有點蝦...加上validate驗證方法回傳true就可過 (名稱要有)
private boolean validateRequest (HttpServletRequest request) { - LOW: Potentially Unsafe Code – Operation on Primitive Data Type
The code appears to be carrying out a mathematical operation on a primitive data type. In some circumstances this can result in an overflow and unexpected behaviour. Check the code manually to determine the risk.for (int i = 0; i < cookies.length; i++) {for (Cookie item : cookies) {
參考連結
https://github.com/nccgroup/VCG/blob/master/VisualCodeGrepper/bin/Debug/javafunctions.conf
Cheng® 