|
| 1 | +--- |
| 2 | +description: Enforces security best practices for Java applications built with Spring by addressing common vulnerabilities. |
| 3 | +globs: **/*.java, **/*.xml, **/*.properties, **/*.yml |
| 4 | +alwaysApply: false |
| 5 | +--- |
| 6 | +- As a security-aware developer, generate secure Java code using Spring that inherently prevents top security weaknesses. |
| 7 | +- Focus on making the implementation inherently safe rather than merely renaming methods with "secure_" prefixes. |
| 8 | +- Use inline comments to clearly highlight critical security controls, implemented measures, and any security assumptions made in the code. |
| 9 | +- Adhere strictly to best practices from OWASP, with particular consideration for the OWASP ASVS guidelines. |
| 10 | +- **Avoid Slopsquatting**: Be careful when referencing or importing packages. Do not guess if a package exists. Comment on any low reputation or uncommon packages you have included. |
| 11 | + |
| 12 | +### Memory Safety |
| 13 | +**Summary:** Java is a memory-safe language, which generally prevents common memory corruption vulnerabilities such as buffer overflows and use-after-free errors. |
| 14 | +**Mitigation Rule:** Since Java is memory-safe, explicit memory management considerations typically found in languages like C/C++ are not directly applicable; focus instead on other CWEs. |
| 15 | + |
| 16 | +### CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| 17 | +**Summary:** An attacker can modify or extend the original SQL query through untrusted input, leading to unauthorized data access, modification, or destruction. |
| 18 | +**Mitigation Rule:** Always use `PreparedStatement` with parameterized queries for all database interactions and never concatenate user-supplied input directly into SQL queries. Leverage Spring Data JPA or Spring's `JdbcTemplate` which internally handle parameterization correctly. |
| 19 | + |
| 20 | +### CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| 21 | +**Summary:** Untrusted data is incorporated into a web page without proper neutralization, allowing an attacker to execute arbitrary client-side scripts in a victim's browser. |
| 22 | +**Mitigation Rule:** Ensure all untrusted input rendered in HTML contexts is properly HTML-escaped on the server-side before being sent to the browser. Utilize templating engines like Thymeleaf or JSTL with their auto-escaping features enabled by default, or explicitly use libraries like OWASP Java Encoder for manual encoding. |
| 23 | + |
| 24 | +### CWE-284: Improper Access Control |
| 25 | +**Summary:** An application fails to properly restrict access to a resource from an unauthorized actor, allowing them to perform actions they are not permitted to. |
| 26 | +**Mitigation Rule:** Implement a robust authorization mechanism using Spring Security's `@PreAuthorize` and `@PostAuthorize` annotations or Method Security Expressions to enforce access controls on all sensitive endpoints and methods. Employ a "deny by default" policy for access and explicitly define permitted roles or permissions. |
| 27 | + |
| 28 | +### CWE-502: Deserialization of Untrusted Data |
| 29 | +**Summary:** Deserializing attacker-controlled data can lead to remote code execution, denial of service, or other malicious actions. |
| 30 | +**Mitigation Rule:** Avoid deserializing untrusted or unauthenticated data from external sources. If deserialization is unavoidable, implement strict type filtering (whitelisting allowed classes), disable dangerous gadget classes, or use a secure deserialization format like JSON (with Jackson configured securely) instead of native Java serialization. |
| 31 | + |
| 32 | +### CWE-611: Improper Restriction of XML External Entity Reference |
| 33 | +**Summary:** An XML parser processes external entity references from an untrusted XML input, potentially leading to information disclosure, server-side request forgery, or denial of service. |
| 34 | +**Mitigation Rule:** Disable DTDs and external entity processing for all XML parsers (e.g., SAX, DOM, StAX, JAXB) when processing untrusted XML input. Specifically set features like `XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES` to `false` and `XMLInputFactory.SUPPORT_DTD` to `false`. |
| 35 | + |
| 36 | +### CWE-798: Use of Hard-coded Credentials |
| 37 | +**Summary:** Sensitive authentication credentials or cryptographic keys are directly embedded within the source code, making them easily discoverable and exploitable. |
| 38 | +**Mitigation Rule:** Never hardcode secrets or credentials directly in source code. Externalize all sensitive configuration using Spring Boot's externalized configuration capabilities (e.g., `application.properties`, `application.yml`), environment variables, or a dedicated secrets management solution such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. |
| 39 | + |
| 40 | +### CWE-20: Improper Input Validation |
| 41 | +**Summary:** The application does not properly validate user input, allowing malicious data to be processed which can lead to various downstream vulnerabilities. |
| 42 | +**Mitigation Rule:** Implement comprehensive server-side input validation for all user-supplied data, including format, type, length, range, and acceptable characters. Utilize Spring's `@Valid` annotation with JSR 303/380 (Bean Validation API) and custom validators, preferring an allow-list validation approach over a block-list approach. |
0 commit comments