Release Notes - 1.0

1.0.5-funcrel

Other Updates

Details
Updated an internal library to provide improved resolutions and compatibility with Python 3.9/Linux.

1.0.4-funcrel

Other Updates

Details
Parsing improvement to fix an issue causing the error "AttributeError: 'Bracket' object has no attribute 'get_name' ".

1.0.3-funcrel

Other Updates

Details
A minor update to ensure that this extension now generates a new "BlackboxPaths.config" file to modify "ServiceEntryPoints.blackbox.xml" when necessary at application level.

1.0.2-funcrel

Other Updates

Details
This extension now generates a new "ServiceEntryPoints.blackbox-v2.xml" file containing additional data to enrich and improve the results of the com.castsoftware.securityanalyzer extension (≥ 1.0.10-funcrel). See https://doc.castsoftware.com/display/TECHNOS/Direct+Web+Remoting+-+1.0#DirectWebRemoting1.0-SupportforUserInputSecurity.

1.0.1-funcrel

Note

In this release, a change has been made to trigger a different set of rules during a Security Analyzer analysis than was previously the case. The list of changes can be found in the "Rules" section below. This change will occur when using this release of the DWR extension (or newer), AIP Core >= 8.3.27 and when a Security Analyzer analysis is enabled. As such, your Security Analyzer results may be impacted.

Rules

Rule Id New Rule Details
8482 FALSE For AIP >= 8.3.27, the rule "Avoid cross-site scripting through API requests" is enabled for input received in REST API exposed, instead of "Avoid cross-site scripting" previously.
8484 FALSE For AIP >= 8.3.27, the rule "Avoid HTTP response splitting through API requests" is enabled for input received in REST API exposed, instead of "Avoid HTTP response splitting" previously.
8486 FALSE For AIP >= 8.3.27, the rule "Avoid resource injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid resource injection" previously.
8488 FALSE For AIP >= 8.3.27, the rule "Avoid resource URL manipulation through API requests" is enabled for input received in REST API exposed, instead of "Avoid resource URL manipulation" previously.
8492 FALSE For AIP >= 8.3.27, the rule "Avoid LDAP injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid LDAP injection" previously.
8494 FALSE For AIP >= 8.3.27, the rule "Avoid OS command injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid OS command injection" previously.
8496 FALSE For AIP >= 8.3.27, the rule "Avoid process control through API requests" is enabled for input received in REST API exposed, instead of "Avoid process control" previously.
8498 FALSE For AIP >= 8.3.27, the rule "Avoid thread injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid thread injection" previously.
8500 FALSE For AIP >= 8.3.27, the rule "Avoid code injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid code injection" previously.
8502 FALSE For AIP >= 8.3.27, the rule "Avoid reflection injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid reflection injection" previously.
8504 FALSE For AIP >= 8.3.27, the rule "Avoid XPath injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid XPath injection" previously.
8506 FALSE For AIP >= 8.3.27, the rule "Avoid file path manipulation through API requests" is enabled for input received in REST API exposed, instead of "Avoid file path manipulation" previously.
8508 FALSE For AIP >= 8.3.27, the rule "Avoid log forging through API requests" is enabled for input received in REST API exposed, instead of "Avoid log forging" previously.
8510 FALSE For AIP >= 8.3.27, the rule "Avoid uncontrolled format string through API requests" is enabled for input received in REST API exposed, instead of "Avoid uncontrolled format" previously.
8512 FALSE For AIP >= 8.3.27, the rule "Avoid mixing trusted and untrusted data in HTTP requests through API requests" is enabled for input received in REST API exposed, instead of "Avoid mixing trusted and untrusted data in HTTP requests" previously.
8514 FALSE For AIP >= 8.3.27, the rule "Avoid NoSQL injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid NoSQL injection" previously.
8516 FALSE For AIP >= 8.3.27, the rule "Avoid URL redirection to untrusted site through API requests" is enabled for input received in REST API exposed, instead of "Avoid URL redirection to untrusted site" previously.
8522 FALSE For AIP >= 8.3.27, the rule "Avoid regular expression injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid regular expression injection" previously.
8528 FALSE For AIP >= 8.3.27, the rule "Avoid deserialization injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid deserialization injection" previously.
8534 FALSE For AIP >= 8.3.27, the rule "Avoid XQuery injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid XQuery injection" previously.
8490 FALSE For AIP >= 8.3.27, the rule "Avoid SQL injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid SQL injection" previously.
8540 FALSE For AIP >= 8.3.27, the rule "Avoid expression language injection through API requests" is enabled for input received in REST API exposed, instead of "Avoid expression language injection" previously.
8562 FALSE For AIP >= 8.3.27, the rule "Avoid server-side request forgery through API requests" is enabled for input received in REST API exposed, instead of "Avoid server-side request forgery" previously.

1.0.0-funcrel

New Support

Summary Details
Support DWR Annotations (Java Side) Creation of DWR Method objects and links to Java methods annotated with @RemoteMethod.
Support DWR complex xml binding (Java Side) Creation of DWR Method objects and links to exposed methods based on xml configurations files.
collect DWR function call from complex xml binding (Javascript Side) Creation of DWR CallTo Method objects and links from javascript containing a DWR function call exposed via xml configurations files.
collect DWR function call with header script generate by DWR (Javascript Side) Creation of DWR callTo Method objects and links from javascript containing a DWR function call exposed via header script statement.

1.0.0-beta1

Note

Initial release of this extension.

New Support

Summary Details
Support Direct Web Remoting framework (backend) Creation of new objects "A DWR service method" via exposed method in Java and dwr.xml configuration file
Support Direct Web Remoting framework (frontend) Creation of new objects "Call to a DWR service method" via JavaScript (*.js or *.jsp) function call and dwr.xml configuration file