Amazon QDetector Library Sign in to Amazon Q

Q

Detector Library

Java detectors (132/132)

Reflected cross site scripting Mandatory method not called after object creation Process empty record list in Amazon KCL AWS object presence check Missing timeout check on CountDownLatch.await Unspecified default value Device Permission Usage.Deserialization of untrusted object Preserve thread interruption status rule Missing check on the value returned by moveToFirst API Missing timeout check on ExecutorService.awaitTermination Overflow when deserializing relational database objects Custom manual retries of AWS SDK calls Missing null check for cache response metadata Inefficient usage of Transaction library from AWS Labs Insecure connection using unencrypted protocol Inefficient additional authenticated data (AAD) authenticity Use of a deprecated method Error-prone AWS IAM policy creation Use of externally-controlled input to build connection string Inefficient Amazon S3 manual pagination Mutually exclusive call AWS Lambda client not reused Missing check on the result of createNewFile Sensitive data stored unencrypted due to partial encryption Missing statement to record cause of InvocationTargetException Misconfigured Concurrency Inefficient polling of AWS resource Improper Initialization Unexpected re-assignment of synchronized objects XPath injection AWS client not reused in a Lambda function Long polling is not enabled in Amazon SQS Insecure temporary file or directory HTTP response splitting Input and output values become out of sync Server-side request forgery Missing Authorization for address id Do not catch and throw exception Concurrency deadlock Not recommended aws credentials classes Path traversal Override of reserved variable names in a Lambda function Missing byte array length of JSON parser Usage of an API that is not recommended Hardcoded credentials Insecure JSON web token (JWT) parsing Not calling finalize causes skipped cleanup steps Unchecked S3 object metadata content length Untrusted data in security decision Permissive cors configuration rule Insecure cookie Resource leak XML External Entity Bad parameters used with AWS API methods Missing position check before getting substring LDAP injection Avoid reset exception in Amazon S3 Insecure hashing Backward compatibility breaks with error message parsing Inefficient map entry iteration Missing S3 bucket owner condition AWS DynamoDB getItem output is not null checked Invalid public method parameters Log injection Sensitive information leak Usage of multiple date time pattern formatter Synchronous publication of AWS Lambda metrics XML External Entity Document Builder Factory Improper use of classes that aren't thread-safe Incorrect null check before setting a value Insufficient use of name in Amazon SQS queue Missing check on the value returned by ResultSet.next Insecure TLS version Unsanitized input is run as code Use an enum to specify an AWS Region Improperly formatted string arguments Improper service shutdown Unrestricted upload of dangerous file type Untrusted AMI images Insecure SAML parser configuration Cross-site request forgery Case sensitive keys in S3 object user metadata Stack trace not included in re-thrown exception Region specification missing from AWS client initialization Insufficient number of PBEKeySpec iterations URL redirection to untrusted site Use of externally-controlled input to select classes or code Missing encryption of sensitive data in storage Ignored output of DynamoDBMapper operations Null pointer dereference Cross-site scripting Unauthenticated LDAP requests Use of inefficient APIs Low maintainability with old Android features Atomicity violation Missing handling of specifically-thrown exceptions Weak obfuscation of web request Clear text credentials Session fixation Catching and not re-throwing or logging exceptions Missing check when launching an Android activity with an implicit intent Client constructor deprecation Inefficient use of stream sorting Arithmetic overflow or underflow Simplifiable code Loose file permissions Manual pagination Incorrect string equality operator Inefficient chain of AWS API calls OS command injection Internationalization Code clone SQL injection Missing check on method output Missing pagination Resources used by an Amazon S3 TransferManager are not released Insecure cryptography Missing timezone of SimpleDateFormat Low maintainability with low class cohesion Oversynchronization Infinite loop Batch operations preferred over looping Object Input Stream Insecure Deserialization Weak pseudorandom number generation Insecure CORS policy Missing handling of file deletion result Amazon SQS message visibility changed without a status check State machine execution ARN is not logged Client-side KMS reencryption Use Stream::anyMatch instead of Stream::findFirst or Stream::findAny Batch request with unchecked failures

Error-prone AWS IAM policy creation Low

Creating an IAM policy manually via string manipulation is error-prone. Create IAM policies using the Policy class in the AWS IAM SDK.

Detector ID

java/aws-iam-error-prone-policy@v1.0

Category

Common Weakness Enumeration (CWE)

Tags

# access-control # aws-java-sdk # aws-iam # consistency # maintainability # owasp-top10

Noncompliant example

1public void iamPolicyNoncompliant(final String roleName, String userArn) {
2    final AmazonIdentityManagement iamClient = AmazonIdentityManagementClientBuilder.standard().withRegion(Regions.US_EAST_1).build();
3    String policyDocument = "{\n" +
4            " \"Version\": \"2012-10-17\",\n" +
5            "  \"Statement\": [\n" +
6            "   {\n" +
7            "      \"Effect\": \"Allow\",\n" +
8            "      \"Principal\": {\n" +
9            "        \"AWS\": \"" + userArn + "\"\n" +
10            "      },\n" +
11            "      \"Action\": \"sts:AssumeRole\"\n" +
12            "    }\n" +
13            "  ]\n" +
14            "}";
15    final CreateRoleRequest createRoleRequest = new CreateRoleRequest();
16    // Noncompliant: creates an IAM role/policy manually.
17    createRoleRequest.withPath("path").withRoleName(roleName).withAssumeRolePolicyDocument(policyDocument);
18    iamClient.createRole(createRoleRequest);
19}

Compliant example

1public void iamPolicyCompliant(final String roleName) throws UnsupportedEncodingException {
2    final AmazonIdentityManagement iamClient = AmazonIdentityManagementClientBuilder.standard().withRegion(Regions.US_EAST_1).build();
3    final String policyDocument = URLDecoder.decode(iamClient.getRolePolicy(new GetRolePolicyRequest()).getPolicyDocument(), "UTF-8");
4    final CreateRoleRequest createRoleRequest = new CreateRoleRequest()
5            .withRoleName(roleName)
6            .withAssumeRolePolicyDocument(policyDocument);
7    // Compliant: creates an IAM role/policy automatically.
8    final String policyArn = iamClient.createRole(createRoleRequest).getRole().getArn();
9}