search

OWASP / www-project-csrfguard

The aim of this project is to protect Java applications against CSRF attacks with the use of Synchronizer Tokens
https://owasp.org/www-project-csrfguard/
BSD 3-Clause "New" or "Revised" License
78 stars 43 forks source link

Removing execCommand from ConfigPropertiesCascadeCommonUtils #1

Closed ayomawdb closed 4 years ago

ayomawdb commented 4 years ago

It seems like there is no practical usage of execCommand method available in [1]. Please correct me if I'm wrong here. It seems that the function is not used anywhere in the code.

If there is no use of it, I'd love to help cleaning up ConfigPropertiesCascadeCommonUtils. This can have unnecessary security complications since it's a public static method, and we have some commercial security scanners complaining about it already.

[1] https://github.com/OWASP/www-project-csrfguard/blob/2fb2f9c78df6a3572c525d3b47410ad1c70856aa/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeCommonUtils.java#L8921

aramrami commented 4 years ago

Hi Ayoma, Yes please proceed to this change and submit a push request. Regards, Azzeddine

Le jeu. 16 janv. 2020 à 05:18, Ayoma Wijethunga notifications@github.com a écrit :

Is the a practical usage of execCommand method available in [1]? It seems that the function is not used anywhere in the code. If there is no use of it, I'd love to help cleaning up ConfigPropertiesCascadeCommonUtils. This can have unnecessary security complications since it's a public static method, and we have some commercial security scanners complaining about it already.

[1] https://github.com/OWASP/www-project-csrfguard/blob/2fb2f9c78df6a3572c525d3b47410ad1c70856aa/csrfguard/src/main/java/org/owasp/csrfguard/config/overlay/ConfigPropertiesCascadeCommonUtils.java#L8921

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OWASP/www-project-csrfguard/issues/1?email_source=notifications&email_token=AABXCECIGX7UQ3HSFOG7XXTQ57NYPA5CNFSM4KHNW22KYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IGQ6C3A, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXCEFJJND5MM3QR6S337TQ57NYPANCNFSM4KHNW22A .

-- Cordialement/Regards/Mit freundlichen Grüßen/Cordiali saluti/Saludos/تحية خالصة

Azzedine Ramrami

OWASP Morocco Chapter

OWASP AppSec Africa President

IBM Security - Senior Security & Network Architect Data & Application Security, Cogntive Security, IoT/OT/ICS/SCADA Security & SIEM Certified Mile2 CPTE/CPTC/CDFE/CSWAE and EC-Council C|EH OWASP Morocco Leader/OWASP AppSec Africa President IBM Security Global Speaker

*Consider giving back, and supporting the open source community by becoming a *member https://www.owasp.org/index.php/Membership or making a donation https://www.owasp.org/index.php/Donate today!

Join us at AppSec https://2018.appsecmorocco.org/ https://2018.appsecmorocco.org/Morocco https://2018.appsecmorocco.org/

Phone: +33 1 58 75 18 17 | Mobile: +33 6 65 48 90 04 / +33 6 10 25 93 15 E-mail: azzedine.ramrami@fr.ibm.com azzeddine.ramrami@gmail.com Skype: azzeddine.ramrami

forgedhallpass commented 3 years ago

Related issue: https://github.com/OWASP/www-project-csrfguard/issues/25