From 7882b9fdb8436ae2cd0553104282cba968e02bb4 Mon Sep 17 00:00:00 2001 From: Mathieu Suen Date: Fri, 22 Jul 2022 14:18:39 +0200 Subject: [PATCH] SONAR-16598 Update education principles --- .../src/main/js/api/mocks/CodingRulesMock.ts | 2 +- .../rules/MoreInfoRuleDescription.tsx | 4 ++-- .../educationPrinciples/DefenseInDepth.tsx | 6 ++--- ...tPrinciple.tsx => NeverTrustUserInput.tsx} | 23 +++++++++++-------- 4 files changed, 19 insertions(+), 16 deletions(-) rename server/sonar-web/src/main/js/components/rules/educationPrinciples/{LeastTrustPrinciple.tsx => NeverTrustUserInput.tsx} (58%) diff --git a/server/sonar-web/src/main/js/api/mocks/CodingRulesMock.ts b/server/sonar-web/src/main/js/api/mocks/CodingRulesMock.ts index 0f6d6af4791..8756329b36d 100644 --- a/server/sonar-web/src/main/js/api/mocks/CodingRulesMock.ts +++ b/server/sonar-web/src/main/js/api/mocks/CodingRulesMock.ts @@ -171,7 +171,7 @@ export default class CodingRulesMock { content: resourceContent } ], - educationPrinciples: ['defense_in_depth', 'least_trust_principle'] + educationPrinciples: ['defense_in_depth', 'never_trust_user_input'] }) ]; diff --git a/server/sonar-web/src/main/js/components/rules/MoreInfoRuleDescription.tsx b/server/sonar-web/src/main/js/components/rules/MoreInfoRuleDescription.tsx index 306eb9f2dff..ef9cc3b4b3c 100644 --- a/server/sonar-web/src/main/js/components/rules/MoreInfoRuleDescription.tsx +++ b/server/sonar-web/src/main/js/components/rules/MoreInfoRuleDescription.tsx @@ -24,7 +24,7 @@ import { Dict } from '../../types/types'; import { ButtonLink } from '../controls/buttons'; import { Alert } from '../ui/Alert'; import DefenseInDepth from './educationPrinciples/DefenseInDepth'; -import LeastTrustPrinciple from './educationPrinciples/LeastTrustPrinciple'; +import NeverTrustUserInput from './educationPrinciples/NeverTrustUserInput'; import RuleDescription from './RuleDescription'; import './style.css'; @@ -37,7 +37,7 @@ interface Props { const EDUCATION_PRINCIPLES_MAP: Dict = { defense_in_depth: DefenseInDepth, - least_trust_principle: LeastTrustPrinciple + never_trust_user_input: NeverTrustUserInput }; export default class MoreInfoRuleDescription extends React.PureComponent { handleNotificationScroll = () => { diff --git a/server/sonar-web/src/main/js/components/rules/educationPrinciples/DefenseInDepth.tsx b/server/sonar-web/src/main/js/components/rules/educationPrinciples/DefenseInDepth.tsx index e338d15b045..2e228c57b5d 100644 --- a/server/sonar-web/src/main/js/components/rules/educationPrinciples/DefenseInDepth.tsx +++ b/server/sonar-web/src/main/js/components/rules/educationPrinciples/DefenseInDepth.tsx @@ -26,7 +26,7 @@ export default function DefenseInDepth() {

Applications and infrastructure benefit greatly from relying on multiple security mechanisms layered on top of each other. If one security mechanism fails, there is a high probability - that the subsequent layer of security will successfully defend against the attack. + that the subsequent layers of security will successfully defend against the attack.

A non-exhaustive list of these code protection ramparts includes the following:

@@ -40,8 +40,8 @@ export default function DefenseInDepth() {

- Note that these layers must be simple enough to use in an everyday workflow. Harsh security - measures can lead to users bypassing them. + Note that these layers must be simple enough to use in an everyday workflow. Security + measures should not break usability.

); diff --git a/server/sonar-web/src/main/js/components/rules/educationPrinciples/LeastTrustPrinciple.tsx b/server/sonar-web/src/main/js/components/rules/educationPrinciples/NeverTrustUserInput.tsx similarity index 58% rename from server/sonar-web/src/main/js/components/rules/educationPrinciples/LeastTrustPrinciple.tsx rename to server/sonar-web/src/main/js/components/rules/educationPrinciples/NeverTrustUserInput.tsx index eaa2882a12a..98c505fca41 100644 --- a/server/sonar-web/src/main/js/components/rules/educationPrinciples/LeastTrustPrinciple.tsx +++ b/server/sonar-web/src/main/js/components/rules/educationPrinciples/NeverTrustUserInput.tsx @@ -19,19 +19,22 @@ */ import * as React from 'react'; -export default function LeastTrustPrinciple() { +export default function NeverTrustUserInput() { return ( <> -

Least Trust Principle

-

Applications must treat all third-party data as attacker-controlled data.

+

Never Trust User Input

- First, the application must determine where the third-party data originates and treat that - data source as an attack vector. + Applications must treat all user input and, more generally, all third-party data as + attacker-controlled data. +

+

+ The application must determine where the third-party data comes from and treat that data + source as an attack vector. Two rules apply:

- Then, the application must validate the attacker-controlled data against predefined formats, - such as: + First, before using it in the application's business logic, the application must + validate the attacker-controlled data against predefined formats, such as:

  • Character sets
    • @@ -41,9 +44,9 @@ export default function LeastTrustPrinciple() {

- Next, the code must sanitize the data before performing mission-critical operations on the - attacker-controlled data. The code must know in which contexts the intercepted data is used - and act accordingly. + Second, the application must sanitize string data before inserting it into interpreted + contexts (client-side code, file paths, SQL queries). Unsanitized code can corrupt the + application's logic.

); -- 2.39.5