Prevent HTTP parameter pollution

Docs > Code Analysis > Static Analysis Rules > Prevent HTTP parameter pollution

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: java-security/http-parameter-pollution

Language: Java

Severity: Warning

Category: Security

Description

Do not concatenate HTTP parameters. Instead, use a proper API to set each parameter.

Learn More

HTTP Parameter Pollution

Non-Compliant Code Examples

class Main {
    public void myMethod() {
        String input = request.getParameter("lang");
        GetMethod get = new GetMethod("https://api.endoint/path/to/api");
        get.setQueryString("param1=" + param1Value);

        if (true) {
            get.setQueryString("param1=" + param1Value);
        } else {
            get.setQueryString("param1=" + param1Value);
        }
        get.execute();
    }
}

Compliant Code Examples

class Main {
    public void myMethod() {
        URIBuilder uriBuilder = new URIBuilder("https://api.endoint/path/to/api");
        uriBuilder.addParameter("param1", param1Value);

        HttpGet httpget = new HttpGet(uriBuilder.build().toString());
    }
}