Amazon CodeGuruDetector Library Sign in to CodeGuru

CodeGuru

Detector Library

Java detectors (132/132)

Reflected cross site scripting Mandatory method not called after object creation Process empty record list in Amazon KCL AWS object presence check Missing timeout check on CountDownLatch.await Unspecified default value Device Permission Usage.Deserialization of untrusted object Preserve thread interruption status rule Missing check on the value returned by moveToFirst API Missing timeout check on ExecutorService.awaitTermination Overflow when deserializing relational database objects Custom manual retries of AWS SDK calls Missing null check for cache response metadata Inefficient usage of Transaction library from AWS Labs Insecure connection using unencrypted protocol Inefficient additional authenticated data (AAD) authenticity Use of a deprecated method Error-prone AWS IAM policy creation Use of externally-controlled input to build connection string Inefficient Amazon S3 manual pagination Mutually exclusive call AWS Lambda client not reused Missing check on the result of createNewFile Sensitive data stored unencrypted due to partial encryption Missing statement to record cause of InvocationTargetException Misconfigured Concurrency Inefficient polling of AWS resource Improper Initialization Unexpected re-assignment of synchronized objects XPath injection AWS client not reused in a Lambda function Long polling is not enabled in Amazon SQS Insecure temporary file or directory HTTP response splitting Input and output values become out of sync Server-side request forgery Missing Authorization for address id Do not catch and throw exception Concurrency deadlock Not recommended aws credentials classes Path traversal Override of reserved variable names in a Lambda function Missing byte array length of JSON parser Usage of an API that is not recommended Hardcoded credentials Insecure JSON web token (JWT) parsing Not calling finalize causes skipped cleanup steps Unchecked S3 object metadata content length Untrusted data in security decision Permissive cors configuration rule Insecure cookie Resource leak XML External Entity Bad parameters used with AWS API methods Missing position check before getting substring LDAP injection Avoid reset exception in Amazon S3 Insecure hashing Backward compatibility breaks with error message parsing Inefficient map entry iteration Missing S3 bucket owner condition AWS DynamoDB getItem output is not null checked Invalid public method parameters Log injection Sensitive information leak Usage of multiple date time pattern formatter Synchronous publication of AWS Lambda metrics XML External Entity Document Builder Factory Improper use of classes that aren't thread-safe Incorrect null check before setting a value Insufficient use of name in Amazon SQS queue Missing check on the value returned by ResultSet.next Insecure TLS version Unsanitized input is run as code Use an enum to specify an AWS Region Improperly formatted string arguments Improper service shutdown Unrestricted upload of dangerous file type Untrusted AMI images Insecure SAML parser configuration Cross-site request forgery Case sensitive keys in S3 object user metadata Stack trace not included in re-thrown exception Region specification missing from AWS client initialization Insufficient number of PBEKeySpec iterations URL redirection to untrusted site Use of externally-controlled input to select classes or code Missing encryption of sensitive data in storage Ignored output of DynamoDBMapper operations Null pointer dereference Cross-site scripting Unauthenticated LDAP requests Use of inefficient APIs Low maintainability with old Android features Atomicity violation Missing handling of specifically-thrown exceptions Weak obfuscation of web request Clear text credentials Session fixation Catching and not re-throwing or logging exceptions Missing check when launching an Android activity with an implicit intent Client constructor deprecation Inefficient use of stream sorting Arithmetic overflow or underflow Simplifiable code Loose file permissions Manual pagination Incorrect string equality operator Inefficient chain of AWS API calls OS command injection Internationalization Code clone SQL injection Missing check on method output Missing pagination Resources used by an Amazon S3 TransferManager are not released Insecure cryptography Missing timezone of SimpleDateFormat Low maintainability with low class cohesion Oversynchronization Infinite loop Batch operations preferred over looping Object Input Stream Insecure Deserialization Weak pseudorandom number generation Insecure CORS policy Missing handling of file deletion result Amazon SQS message visibility changed without a status check State machine execution ARN is not logged Client-side KMS reencryption Use Stream::anyMatch instead of Stream::findFirst or Stream::findAny Batch request with unchecked failures

Tag: top25-cwes

Deserialization of untrusted object

Deserialization of untrusted objects can lead to security vulnerabilities such as, inadvertently running remote code.

Overflow when deserializing relational database objects

Deserializing objects from relational databases should allocate a 64-bit, not 32-bit, type for the auto-incremented identifier.

Server-side request forgery

Insufficient sanitization of potentially untrusted URLs on the server side can allow server requests to unwanted destinations.

Path traversal

Creating file paths from untrusted input might give a malicious actor access to sensitive files.

Hardcoded credentials

Hardcoded credentials can be intercepted by malicious actors.

Resource leak

Allocated resources are not released properly.

XML External Entity

Objects that parse or handle XML can lead to XML External Entity (XXE) attacks when misconfigured.

Invalid public method parameters

Public method parameters should be validated for nullness, unexpected values, and malicious values.

Sensitive information leak

Sensitive information should not be exposed through log files or stack traces.

XML External Entity Document Builder Factory

Objects that parse or handle XML in XML document can lead to XML External Entity (XXE) attacks when misconfigured.

Unsanitized input is run as code

Scripts generated from unsanitized inputs can lead to malicious behavior and inadvertently running code remotely.

Unrestricted upload of dangerous file type

Insufficiently restrictive file uploads can lead to inadvertently running malicious code.

Insecure SAML parser configuration

Comment parsing for OpenSAML2 might enable an attacker to bypass authentication.

Cross-site request forgery

Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability.

URL redirection to untrusted site

User-controlled input that specifies a link to an external site could lead to phishing attacks and allow user credentials to be stolen.

Use of externally-controlled input to select classes or code

Use of unsanitized external input in reflection can allow attackers to bypass security checks and run malicious code.

Null pointer dereference

Dereferencing a null pointer can lead to unexpected null pointer exceptions.

Cross-site scripting

Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.

Weak obfuscation of web request

Weak obfuscation while configuring a web request

Arithmetic overflow or underflow

Use numeric types that are large enough to hold the result of arithmetic operations.

Loose file permissions

Weak file permissions can lead to privilege escalation.

OS command injection

Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code.

SQL injection

Use of untrusted inputs in SQL database query can enable attackers to read, modify, or delete sensitive data in the database