![]() ![]() The String.format method and related methods, like PrintStream.printf and Formatter.format, all accept a format string that is used to format the trailing arguments to the format call by providing inline format specifiers. TrustManager that accepts all certificatesĬlick to see the query in the CodeQL repository.XSLT transformation with user-controlled stylesheet.Whitespace contradicts operator precedence.Using a static initialization vector for encryption.User-controlled data used in permissions check.User-controlled data in arithmetic expression.User-controlled bypass of sensitive method.Use of externally-controlled format string.Use of a predictable seed in a secure random number generator.Use of a potentially dangerous function.Use of a potentially broken or risky cryptographic algorithm.Use of a cryptographic algorithm with insufficient key size.Use of a broken or risky cryptographic algorithm.Unsafe resource fetching in Android WebView.Uncontrolled data used in path expression.Uncontrolled data used in content resolution.Uncontrolled data in arithmetic expression.Type mismatch on container modification.Time-of-check time-of-use race condition.Synchronization on boxed types or strings.Serialization methods do not match required signature.Serializable inner class of non-serializable class.Result of multiplication cast to wider type.Resolving XML external entity in user-controlled data.ReadResolve must have Object return type, not void.Race condition in socket authentication.Race condition in double-checked locking object initialization.Query built from user-controlled sources.Query built by concatenation with a possibly-untrusted string.Polynomial regular expression used on uncontrolled data.Partial path traversal vulnerability from remote.Overly permissive regular expression range.OGNL Expression Language statement with user-controlled input.Non-synchronized override of synchronized method.Non-final method invocation in constructor.Missing read or write permission in a content provider.Local information disclosure in a temporary directory.Leaking sensitive information through an implicit Intent.Leaking sensitive information through a ResultReceiver.LDAP query built from user-controlled sources.Insertion of sensitive information into log files.Information exposure through a stack trace.Incorrect absolute value of random number.Inconsistent synchronization of getter and setter.Inconsistent synchronization for writeObject().Improper verification of intent by broadcast receiver.Improper validation of user-provided size used for array construction.Improper validation of user-provided array index.Implicit narrowing conversion in compound assignment.Implicit conversion from array to string.Hashed value without hashCode definition.Failure to use HTTPS or SFTP URL in Maven artifact upload/download.Externalizable but no public no-argument constructor.Expression always evaluates to the same value.Executing a command with a relative path.Equals method does not inspect argument type.Double-checked locking is not thread-safe.Detect JHipster Generator Vulnerability CVE-2019-16303.Deserialization of user-controlled data.Deprecated method or constructor invocation.Depending upon JCenter/Bintray as an artifact repository.Continue statement that does not continue.Container contents are never initialized.Confusing non-overriding of package-private method.Confusing method names because of capitalization. ![]() Comparison of narrow type with wide type in loop condition.Cleartext storage of sensitive information using a local database on Android.Cleartext storage of sensitive information using SharedPreferences on Android.Cleartext storage of sensitive information using ‘Properties’ class.Cleartext storage of sensitive information in the Android filesystem.Cleartext storage of sensitive information in cookie.Character passed to StringBuffer or StringBuilder constructor.Cast from abstract to concrete collection.Building a command line with string concatenation.Arbitrary file write during archive extraction (”Zip Slip”).Android fragment injection in PreferenceActivity.Android WebView that accepts all certificates.Android WebView settings allows access to content links.Access Java object methods through JavaScript exposure. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |