Skip to content

Secure Coding

Clean As You Code

  • SonarLint Plugin for IDE: Detect bugs and code smells as early as possible while you code You can even bind your organisation's quality gate rules if exists any
  • SonarCloud does support Clean as You code policy for your open source projects. It is free of cost for open source projects.

XSS: Encode for client

  • OWASP Java Encoder helps to encode values based on client use case to avoid any XSS attack

  • Similar to html, dedicated methods available for CSS(forCssString) and JS (forJavaScript) as well

  • Similarly different encoding methods available for script/style attribute(forJavaScriptAttribute, forCssString-), block (forJavaScriptBlock) and URL components (forCssUrl, forJavaScriptSource) parameter
    // when you want to place json properties inside <script type="application/json">${toJson()}</script> in html
    public String toJson() {
      ObjectMapper objectMapper = new ObjectMapper();
      try {
        return Encode.forHtmlContent(objectMapper.writeValueAsString(this));
      } catch (JsonProcessingException ex) {
        log.error("Serialization error.", ex);
      }
      return null;
    }
    

Obfuscate Sensitive Information

  • Sensitive information like username, password and OneTimeToken, sometimes unknowingly logged in log files, and it might lead to potential information leak
  • To avoid such accidental information leak, it is always recommended to obfuscate such information either partially or completely
  • example overriding default toString() to obfuscate complete information as follows
  record Password(String value) {
    @Override
    public String toString() {
        return "Password { 'value': '***' }";
    }
}
  • example obfuscate partial information about email address
record EmailAddress(String value) {
    @Override
    public String toString() {
        return "EmailAddress {'value': '%s'}".formatted(EmailAddressObfuscator.obfuscate(value));
    }
}


/**
 * Obfuscates an email address by starring the local part (username), except the first character.
 * <p>
 * If the local part has only one character, then this will be starred.
 * </p>
 * <p>
 * For example the email address <c>name.surname@example.com</c> will be obfuscated as <c>n***********@example.com</c>.
 * </p>
 */
public final class EmailAddressObfuscator {
    private static final String EMAIL_ADDRESS_SEPARATOR = "@";
    private static final int NO_VISIBLE_LOCAL_PART_CHARS = 1;
    private static final String MASK_CHAR = "*";

    private EmailAddressObfuscator() {
        throw new UnsupportedOperationException("This is a utility class and cannot be instantiated");
    }


    private static String getNonLocalPart(String emailAddress) {
        return StringUtils.substringAfterLast(emailAddress, EMAIL_ADDRESS_SEPARATOR);
    }

    private static String getLocalPart(String emailAddress) {
        return StringUtils.substringBeforeLast(emailAddress, EMAIL_ADDRESS_SEPARATOR);
    }

    private static String obfuscateLocalPart(String emailAddress) {
        String localPart = getLocalPart(emailAddress);
        return StringUtils.substring(localPart, 0, NO_VISIBLE_LOCAL_PART_CHARS)
                + StringUtils.repeat(MASK_CHAR, StringUtils.length(localPart) - NO_VISIBLE_LOCAL_PART_CHARS);
    }

    private static String getObfuscateValue(String emailAddress) {
        return obfuscateLocalPart(emailAddress) + EMAIL_ADDRESS_SEPARATOR + getNonLocalPart(emailAddress);
    }


    public static String obfuscate(final String emailAddress) {
        return Optional.ofNullable(emailAddress)
                .filter(StringUtils::isNotBlank)
                .map(EmailAddressObfuscator::getObfuscateValue).orElse("");
    }

}