Stable links that you might embed into your audit documentation:
eclntjsfserverRISC-20240930.jar
org.eclnt.jsfserver.bufferedcontent.BufferedContentServlet
org.eclnt.jsfserver.bufferedcontent.BufferedContentServlet
org.eclnt.jsfserver.calendar.ExtCalendarServlet
writeXMLResultToResponse(javax.servlet.http.HttpServletResponse, java.lang.String)
org.eclnt.jsfserver.starter.RISCStarter
writeTemplateToResponse(javax.servlet.http.HttpServletResponse, java.lang.String)
writeTemplateToResponse(javax.servlet.http.HttpServletResponse, java.lang.String)
org.eclnt.jsfserver.util.CompressionResponseStream
close()
org.eclnt.jsfserver.util.DynamicImageServlet
writeSVGStringToOutputStream(javax.servlet.http.HttpServletResponse, java.lang.String)
writePNGBytesToOutputStream(javax.servlet.http.HttpServletResponse, byte[])
org.eclnt.jsfserver.util.ServletUtil
writeTrustedDataToResponseOutputStream(javax.servlet.http.HttpServletResponse, byte[])
writeTrustedDataToResponseOutputStream(javax.servlet.http.HttpServletResponse, byte[])
org.eclnt.jsfserver.util.StyleReaderServlet
org.eclnt.jsfserver.util.StyleReaderServlet
writeCSSToResponse(javax.servlet.http.HttpServletResponse, java.lang.String)
writeJSONToResponse(javax.servlet.http.HttpServletResponse, java.lang.String)
org.eclnt.util.classresolver.DefaultClassResolver
resolveClass(java.lang.String, boolean, java.lang.ClassLoader, org.eclnt.util.classresolver.ENUMCallerType)
resolveClass(java.lang.String, org.eclnt.util.classresolver.ENUMCallerType)
eclntccee-20240930.jar
org.eclnt.ccee.db.dofw.DOFWSql
org.eclnt.ccee.db.dofw.DOFWSql
eclntjsfserverRISC-20240930.jar
org.eclnt.jsfserver.bufferedcontent.BufferedContentServlet
Class level mitigation
| Comment | The BufferdContent processing is designed to make content that is created by the application available as content that can be accessed by the browser by URL.
Example: the application creates some PDF content that should be shown in the browser.
As consequence any security issue is to be addressed to the application producting the content.
Nevertheless there are some default security issues:
1. The content that is made available by the appliaction is only available within the current http session of the user. It cannot be accessed by other sessions.
2. Each content that is made available is receiving a unque id. This id is generated in a secure random way.
3. The content is automtically removed when the http session is removed. |
| Annotation type | CCMitigation |
org.eclnt.jsfserver.calendar.ExtCalendarServlet
Method writeXMLResultToResponse
| Method parameters | javax.servlet.http.HttpServletResponse, java.lang.String |
| Comment | The output is an XML string that is containing data that is shown in an extended calendar component (e.g. colors of days, comments for days). The XML is assembled by using ESAPI.encoder().encodeForXMLAttribute(value) for all dynamic content that is added into the XML String. |
| Annotation type | XSSCleanser |
org.eclnt.jsfserver.starter.RISCStarter
Method writeTemplateToResponse
| Method parameters | javax.servlet.http.HttpServletResponse, java.lang.String |
| CWE Ids | 80, 201 |
| Comment | The content that is written into the response is an HTML text that is created from a template, in which certain placeholders are replaced with actual values. The template must be part of the resources of the application, i.e. it is not possible to e.g. reference a template from outside by URL. Replacements that are based on parameters of the .risc-request are explicitly encoded with ESAPI.encoder().encodeForHTMLAttribute(). Any other replacements are only based on the system configuration,that is part of the local application. |
| Annotation type | CCMitigation |
Method writeTemplateToResponse
| Method parameters | javax.servlet.http.HttpServletResponse, java.lang.String |
| Comment | The content that is written into the response is an HTML text that is created from a template, in which certain placeholders are replaced with actual values. The template must be part of the resources of the application, i.e. it is not possible to e.g. reference a template from outside by URL. Replacements that are based on parameters of the .risc-request are explicitly encoded with ESAPI.encoder().encodeForHTMLAttribute(). Any other replacements are only based on the system configuration,that is part of the local application. |
| Annotation type | XSSCleanser |
org.eclnt.jsfserver.util.CompressionResponseStream
Method close
| Method parameters | |
| Comment | The output stream that is written is the zipped version of the original output stream. The responsibility for making sure that the output stream does not contain XSS must not be managed on this level, but on the level to produce the proper content before it is zipped. There is no additional information written into the zipped output stream, so there is also no chance to add XSS content on this leve. |
| Annotation type | XSSCleanser |
org.eclnt.jsfserver.util.DynamicImageServlet
Method writeSVGStringToOutputStream
| Method parameters | javax.servlet.http.HttpServletResponse, java.lang.String |
| Comment | SVG content is passed which is created from existing SVG images by dynamically updating their color and size. The replacement is checked to only allow colors and sized to be replaced - it explicitly is built and tested for attempts to prevent replacements that inject e.g. scripting. The SVG images that are taken as templates for the replacements must be stored in the resources or webcontent of the own web application. It's explicitly not possible to use images from external source (e.g. URLs). |
| Annotation type | XSSCleanser |
Method writePNGBytesToOutputStream
| Method parameters | javax.servlet.http.HttpServletResponse, byte[] |
| Comment | PNG image content is written to the output stream. The PNG content either represents some text which needs to be available as image or some SVG that is converted into an image. |
| Annotation type | XSSCleanser |
org.eclnt.jsfserver.util.ServletUtil
Method writeTrustedDataToResponseOutputStream
| Method parameters | javax.servlet.http.HttpServletResponse, byte[] |
| CWE Ids | 113 |
| Comment | This method is explicitly designed to write any content to the output stream without any sanitzizing of the content. It must only be used of the caller can ensure that the data is coming from trusted sources and that the data is not directly related to user input. |
| Annotation type | CCMitigation |
Method writeTrustedDataToResponseOutputStream
| Method parameters | javax.servlet.http.HttpServletResponse, byte[] |
| Comment | |
| Annotation type | XSSCleanser |
org.eclnt.jsfserver.util.StyleReaderServlet
Class level mitigation
| Comment | This servlet loads a .css style that is assembled dynamically out of XML files. The XML files are development artifacts and are created without embedding e.g. application data. |
| Annotation type | CCMitigation |
Method writeCSSToResponse
| Method parameters | javax.servlet.http.HttpServletResponse, java.lang.String |
| Comment | Writes generated CSS into the response. The CSS is completely created by the CaptainCasa style management, the only parameter within the processed URL that is influencing the generation is the name of the style. If the name of the style is not matching a defined style then this will not be processed. The content of the CSS is only dependent on the application style definition. |
| Annotation type | XSSCleanser |
Method writeJSONToResponse
| Method parameters | javax.servlet.http.HttpServletResponse, java.lang.String |
| Comment | Writes generated JSON into the response. The JSON is completely created by the CaptainCasa style management, the only parameter within the processed URL that is influencing the generation is the name of the style. If the name of the style is not matching a defined style then this will not be processed. The content of the JSON is only dependent on the application style definition. |
| Annotation type | XSSCleanser |
org.eclnt.util.classresolver.DefaultClassResolver
Method resolveClass
| Method parameters | java.lang.String, boolean, java.lang.ClassLoader, org.eclnt.util.classresolver.ENUMCallerType |
| CWE Ids | 470 |
| Comment | The loading of classes is controlled by interface IClassResolver. As part of this interface each class that is loaded within the CaptainCasa processing declares why it is loaded (ENUMCallerType-parameter). You can apply any own implementation which checks every load process to decide if a class should be loaded or not. |
| Annotation type | CCMitigation |
Method resolveClass
| Method parameters | java.lang.String, org.eclnt.util.classresolver.ENUMCallerType |
| CWE Ids | 470 |
| Comment | The loading of classes is controlled by interface IClassResolver. As part of this interface each class that is loaded within the CaptainCasa processing declares why it is loaded (ENUMCallerType-parameter). You can apply any own implementation which checks every load process to decide if a class should be loaded or not. |
| Annotation type | CCMitigation |
eclntccee-20240930.jar
org.eclnt.ccee.db.dofw.DOFWSql
Class level mitigation
| CWE Ids | 89 |
| Comment | This is the central class of the DOFW persistence framework. It maps Java entity objects ("Pojos") to database table operations. As result SQL commands are assembled for querying and updating the database.
The SQL commands are all assembled in the same way:
1. PreparedStatement processing is used so that
2. any data that is passed by the application is NOT able to influence the SQL command itself.
As result the framework is robust against SQL injection attacks. |
| Annotation type | CCMitigation |