SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Java

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

  • All rules 733
  • Vulnerability60
  • Bug175
  • Security Hotspot40
  • Code Smell458

  • Quick Fix 65
Filtered: 29 rules found
injection
    Impact
      Clean code attribute
        1. Sensitive information should not be logged in production builds

           Vulnerability
        2. WebViews should not be vulnerable to cross-app scripting attacks

           Vulnerability
        3. Privileged prompts should not be vulnerable to injection attacks

           Vulnerability
        4. Server-side requests should not be vulnerable to traversing attacks

           Vulnerability
        5. Accessing files should not lead to filesystem oracle attacks

           Vulnerability
        6. Environment variables should not be defined from untrusted input

           Vulnerability
        7. XML operations should not be vulnerable to injection attacks

           Vulnerability
        8. JSON operations should not be vulnerable to injection attacks

           Vulnerability
        9. Thread suspensions should not be vulnerable to Denial of Service attacks

           Vulnerability
        10. Components should not be vulnerable to intent redirection

           Vulnerability
        11. Constructing arguments of system commands from user input is security-sensitive

           Security Hotspot
        12. Applications should not create session cookies from untrusted input

           Vulnerability
        13. Reflection should not be vulnerable to injection attacks

           Vulnerability
        14. Extracting archives should not lead to zip slip vulnerabilities

           Vulnerability
        15. OS commands should not be vulnerable to argument injection attacks

           Vulnerability
        16. Server-side templates should not be vulnerable to injection attacks

           Vulnerability
        17. Dynamic code execution should not be vulnerable to injection attacks

           Vulnerability
        18. NoSQL operations should not be vulnerable to injection attacks

           Vulnerability
        19. HTTP request redirections should not be open to forging attacks

           Vulnerability
        20. Logging should not be vulnerable to injection attacks

           Vulnerability
        21. Server-side requests should not be vulnerable to forging attacks

           Vulnerability
        22. Deserialization should not be vulnerable to injection attacks

           Vulnerability
        23. Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

           Vulnerability
        24. Database queries should not be vulnerable to injection attacks

           Vulnerability
        25. Regular expressions should not be vulnerable to Denial of Service attacks

           Vulnerability
        26. XPath expressions should not be vulnerable to injection attacks

           Vulnerability
        27. I/O function calls should not be vulnerable to path injection attacks

           Vulnerability
        28. LDAP queries should not be vulnerable to injection attacks

           Vulnerability
        29. OS commands should not be vulnerable to command injection attacks

           Vulnerability

        Components should not be vulnerable to intent redirection

        intentionality - complete
        security
        Vulnerability
        • android
        • injection

        Why is this an issue?

        How can I fix it?

        More Info

        Intent redirection vulnerabilities occur when an application publicly exposes a feature that uses an externally provided intent to start a new component.

        In that case, an application running on the same device as the affected one can launch the exposed, vulnerable component and provide it with a specially crafted intent. Depending on the application’s configuration and logic, this intent will be used in the context of the vulnerable application, which poses a security threat.

        What is the potential impact?

        An affected component that forwards a malicious externally provided intent does so using the vulnerable application’s context. In particular, the new component is created with the same permissions as the application and without limitations on what feature can be reached.

        Therefore, an attacker exploiting an intent redirection vulnerability could manage to access a private application’s components. Depending on the features privately exposed, this can lead to further exploitations, sensitive data disclosure, or even persistent code execution.

        Information disclosure

        An attacker can use the affected feature as a gateway to access other components of the vulnerable application, even if they are not exported. This includes features that handle sensitive information.

        Therefore, by crafting a malicious intent and submitting it to the vulnerable redirecting component, an attacker can retrieve most data exposed by private features. This affects the confidentiality of information that is not protected by an additional security mechanism, such as an encryption algorithm.

        Attack surface increase

        Because the attacker can access most components of the application, they can identify and exploit other vulnerabilities that would be present in them. The actual impact depends on the nested vulnerability. Exploitation probability depends on the in-depth security level of the application.

        Privilege escalation

        If the vulnerable application has privileges on the underlying devices, an attacker exploiting the redirection issue might take advantage of them. For example by crafting a malicious intent action, the attacker could be able to pass phone calls on behalf of the entitled application.

        This can lead to various attack scenarios depending on the exploited permissions.

        Persistent code execution

        A lot of applications rely on dynamic code loading to implement a variety of features, such as:

        • Minor feature updates.
        • Application package size reduction.
        • DRM or other code protection features.

        When a component exposes a dynamic code loading feature, an attacker could use it during the redirection’s exploitation to deploy malicious code into the application. The component can be located in the application itself or one of its dependencies.

        Such an attack would compromise the application execution environment entirely and lead to multiple security threats. The malicious code could:

        • Intercept and exfiltrate all data used in the application.
        • Steal authentication credentials to third-party services.
        • Change the application’s behavior to serve another malicious purpose (phishing, ransoming, etc)

        Note that in most cases, the deployed malware can persist application or hosting device restarts.

          Available In:
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.3

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use