SQL injections are dead ... Long live injections!

@h3xstream h3xstream released this Jun 28, 2018 · 7 commits to master since this release

While SQL injection is considered by many as a (mostly) solved problem, injection vulnerabilities are still current because of all the injections possible in other API receiving SpEL or OGNL expressions, HTML (XSS), SMTP header or specialized query languages. In this release, new detectors and updates on old ones are likely to catch critical vulnerabilities that may lead to Remote Code Execution or sensitive data exposure.

Some modifications were made to support some edge cases of Kotlin. If you are a Kotlin developers, you should benefit greatly from this release. (Fix #387) (Tests #407, #409, #410)

Many built-in Java XML API susceptible to XXE were added to existing detectors. #138

Find Security Bugs is now automatically tested against Java 10. We will continue to compile the plugin with Java 8 to maximize the compatibility.

Thanks to the numerous contributors who have pushed changes that were integrate in this version:

Full Changelog

Implemented enhancements:

  • Detect SpelView (Spel Injection) #400
  • False positive STRUTS_FORM_VALIDATION issues for ActionForms with proper validate method #390
  • Kotlin support for hardcode password with Intrinsics.areEqual\(\) #387
  • SMTP Header Injection #374
  • FileItem.getName() as a new source for XSS_SERVLET? #358
  • Detect hardcode password and hash based on variable name #342
  • Identify XSS cause by ServletOutputStream.print() #341
  • (Internal) Enable assertions during building and/or using find-sec-bugs #338
  • Add Paths.get() as source for Path traversal #324
  • Reduce false positive for Path traversal #291
  • CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240
  • [Documentation] - Add Table of Contents to Bug Patterns page #160
  • More XXE coverage #138
  • New implementation of CORS detector #313 #361 (bradflood)
  • fix for: Identify XSS cause by ServletOutputStream.print() #341 #355 (bradflood)
  • Optional API and improvement to crypto detector #350 (h3xstream)
  • Added some XXE Coverage for TransformerFactory #349 (MaxNad)
  • Add Java8 nio API for path traversal #324 #325 (h3xstream)

Fixed bugs:

  • Path traversal: Flase positive with static final variable #382
  • NullPointerException in GoogleApiKeyDetector.visitClassContext #364
  • Images on Gradle Configuration documentation page show 'Please update your account' #337
  • PermissiveCORSDetector throws NPE #313
  • CRLF injection CWE-117 does not detect request body parameters for jax-rs applications #240

Closed issues:

  • Crash with spotbugs 3.1.4 #406
  • Adding New Sinks #378
  • Add a new bug check "X-Frame-Options Header Not Set" #371
  • Invalid configuration for java/io/File#createTempFile in java-net.txt #328

Merged pull requests:

74a7fc48d07c50311e052fdf4c7ac0ee675876fa *findsecbugs-cli-1.8.0.zip