forked from finos/symphony-wdk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.semgrepignore
36 lines (31 loc) · 2.26 KB
/
.semgrepignore
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# java.lang.security.audit.unsafe-reflection.unsafe-reflection
# If an attacker can supply values that the application then uses to determine which class to
# instantiate or which method to invoke, the potential exists for the attacker to create
# control flow paths through the application that were not intended by the application
# developers. This attack vector may allow the attacker to bypass authentication or access
# control checks or otherwise cause the application to behave in an unexpected manner.
# Details: https://sg.run/R8X8
# 90┆ Class<?> implClass = Class.forName((String) execution.getVariable(EXECUTOR));
# ⋮┆----------------------------------------
# 110┆ (BaseActivity) OBJECT_MAPPER.readValue(activityAsJsonString, Class.forName(type.getTypeName()));
# these class values is not supplied by user, they are predefined by the application, therefore ignore it (at least for now).
workflow-bot-app/src/main/java/com/symphony/bdk/workflow/engine/camunda/CamundaExecutor.java
# 62┆ return BaseActivity.class.isAssignableFrom(Class.forName(arg.getTypeName()));
# ⋮┆----------------------------------------
# 69┆ return (Class<? extends BaseActivity>) Class.forName(activityType.getTypeName());
workflow-bot-app/src/main/java/com/symphony/bdk/workflow/swadl/ActivityRegistry.java
#
# 74┆ Cipher cipher = Cipher.getInstance(DEFAULT_CIPHER);
# ⋮┆----------------------------------------
# 75┆ cipher.init(Cipher.ENCRYPT_MODE, cryptVersion.key, new
# GCMParameterSpec(ALGORITHM_TAG_SIZE, nonce));
# ⋮┆----------------------------------------
# 102┆ Cipher cipher = Cipher.getInstance(DEFAULT_CIPHER);
# ⋮┆----------------------------------------
# 103┆ cipher.init(Cipher.DECRYPT_MODE, cryptVersion.key, new
# GCMParameterSpec(ALGORITHM_TAG_SIZE, nonce));
#
# please check that IV/nonce is not reused, an Initialization Vector (IV) is a
# nonce used to randomize the encryption, so that even if multiple messages with identical
# plaintext are encrypted, the generated corresponding ciphertexts are different
workflow-bot-app/src/main/java/com/symphony/bdk/workflow/engine/secret/SecretCryptVault.java