FlexPMD/language-module/ruleset/ruleset-flex-basic/src/main/resources/rulesets/flex/security.xml - flex-utilities - Git at Google

 <?xml version="1.0"?>
 <!--

   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
   this work for additional information regarding copyright ownership.
   The ASF licenses this file to You under the Apache License, Version 2.0
   (the "License"); you may not use this file except in compliance with
   the License.  You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.

 -->
 <ruleset name="Security Rules"
          xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd"
          xsi:noNamespaceSchemaLocation="http://pmd.sf.net/ruleset_xml_schema.xsd">

 	<description>
       The Security AS3 Ruleset contains a collection of best practices related to secure code.
     </description>

 	<rule class="org.apache.flex.pmd.rules.security.InsecureExactSettingsRule"
 		message="Security.exactSettings is set to an insecure value">
 		<description>The security.exactSettings value should remain set at the default true value. Setting this value to false could make the SWF vulnerable to cross-domain attacks.</description>
 		<priority>1</priority>
 		<example>
 			//exactSettings should be left as the default
    			Security.exactSettings = true;
       	</example>
 	</rule>

 	<rule class="org.apache.flex.pmd.rules.security.AllowAllSecureDomainRule"
 		message="Security.allowDomain is set to an insecure value">
 		<description>The security.allowDomain value of "*" will allow any domain to cross-script into the domain of this SWF and exercise its functionality.</description>
 		<priority>1</priority>
 		<example>
 			//The allowDomain settings should be specific
    			Security.allowDomain("www.example.org");
       	</example>
 	</rule>

 	<rule class="org.apache.flex.pmd.rules.security.LocalConnectionStarRule"
 		message="LocalConnection.allowDomain is set to an insecure value">
 		<description>The LocalConnection.allowDomain value of "*" will allow any domain to connect to this SWF and call its functions.</description>
 		<priority>1</priority>
 		<example>
 			//The allowDomain setting should be specific
    			LocalConnection.allowDomain("www.example.org");
       	</example>
 	</rule>

 	<rule class="org.apache.flex.pmd.rules.security.AllowInsecureDomainRule"
 		message="Potentially unnecessary use of allowInsecureDomain">
 		<description>Using allowInsecureDomain will allow untrusted content from an HTTP site to inject data into a trusted HTTPS connection which may comprimise the integrity of the HTTPS connection. The use of allowDomain is preferred.</description>
 		<priority>1</priority>
 		<example>
 			//Use the allowDomain setting instead
    			LocalConnection.allowDomain("www.example.org");
 			Security.allowDomain("www.example.org");
       	</example>
 	</rule>

 	<rule class="org.apache.flex.pmd.rules.security.LSOSecureFalseRule"
 		message="The secure flag is set to false">
 		<description>If this SWF is being served over HTTPS then the secure flag should be set to true. This can help prevent sensitive SSL protected information from being shared within insecure HTTP content. If this SWF is served over HTTP then you can ignore this warning.</description>
 		<priority>5</priority>
 		<example>
 			//Setting secure values for LSOs
    			LSO.getLocal(name, null, true);
       	</example>
 	</rule>

 	<rule class="org.apache.flex.pmd.rules.security.ImportLoadBestPracticeRule"
 		message="Set allowCodeImport to false when import loading images">
 		<description>If this loader is only intended to load image files (GIF,JPG,PNG) then be sure to set the allowCodeImport value to false. Setting this flag will reduce the chances of an untrusted SWF gaining access to your site. If your intent is to load a SWF, the URL for the request is a static value for a trusted site and/or you have already set the allowCodeImport flag, then you can ignore this warning.</description>
 		<priority>5</priority>
 	</rule>

 </ruleset>
	<?xml version="1.0"?>
	<!--

	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.

	-->
	<ruleset name="Security Rules"
	xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd"
	xsi:noNamespaceSchemaLocation="http://pmd.sf.net/ruleset_xml_schema.xsd">

	<description>
	The Security AS3 Ruleset contains a collection of best practices related to secure code.
	</description>

	<rule class="org.apache.flex.pmd.rules.security.InsecureExactSettingsRule"
	message="Security.exactSettings is set to an insecure value">
	<description>The security.exactSettings value should remain set at the default true value. Setting this value to false could make the SWF vulnerable to cross-domain attacks.</description>
	<priority>1</priority>
	<example>
	//exactSettings should be left as the default
	Security.exactSettings = true;
	</example>
	</rule>

	<rule class="org.apache.flex.pmd.rules.security.AllowAllSecureDomainRule"
	message="Security.allowDomain is set to an insecure value">
	<description>The security.allowDomain value of "*" will allow any domain to cross-script into the domain of this SWF and exercise its functionality.</description>
	<priority>1</priority>
	<example>
	//The allowDomain settings should be specific
	Security.allowDomain("www.example.org");
	</example>
	</rule>

	<rule class="org.apache.flex.pmd.rules.security.LocalConnectionStarRule"
	message="LocalConnection.allowDomain is set to an insecure value">
	<description>The LocalConnection.allowDomain value of "*" will allow any domain to connect to this SWF and call its functions.</description>
	<priority>1</priority>
	<example>
	//The allowDomain setting should be specific
	LocalConnection.allowDomain("www.example.org");
	</example>
	</rule>

	<rule class="org.apache.flex.pmd.rules.security.AllowInsecureDomainRule"
	message="Potentially unnecessary use of allowInsecureDomain">
	<description>Using allowInsecureDomain will allow untrusted content from an HTTP site to inject data into a trusted HTTPS connection which may comprimise the integrity of the HTTPS connection. The use of allowDomain is preferred.</description>
	<priority>1</priority>
	<example>
	//Use the allowDomain setting instead
	LocalConnection.allowDomain("www.example.org");
	Security.allowDomain("www.example.org");
	</example>
	</rule>

	<rule class="org.apache.flex.pmd.rules.security.LSOSecureFalseRule"
	message="The secure flag is set to false">
	<description>If this SWF is being served over HTTPS then the secure flag should be set to true. This can help prevent sensitive SSL protected information from being shared within insecure HTTP content. If this SWF is served over HTTP then you can ignore this warning.</description>
	<priority>5</priority>
	<example>
	//Setting secure values for LSOs
	LSO.getLocal(name, null, true);
	</example>
	</rule>

	<rule class="org.apache.flex.pmd.rules.security.ImportLoadBestPracticeRule"
	message="Set allowCodeImport to false when import loading images">
	<description>If this loader is only intended to load image files (GIF,JPG,PNG) then be sure to set the allowCodeImport value to false. Setting this flag will reduce the chances of an untrusted SWF gaining access to your site. If your intent is to load a SWF, the URL for the request is a static value for a trusted site and/or you have already set the allowCodeImport flag, then you can ignore this warning.</description>
	<priority>5</priority>
	</rule>

	</ruleset>