Since rulesets can be java class files and there is no mechanism to ensure that URL-based rulesets are loaded only via HTTPS, or that the rulesets are signed or have a certain hash value, it is possible to specify an external ruleset source via HTTP in production environments. This means that DNS poisoning or a compromised web host can inject arbitrary code into the environment where PMD is being used. If PMD is used as part of the developer toolchain and a developer uses a laptop in a cafe, for example, this can lead to the developer's machine being compromised, a RAT installed, and used as a stepping stone when the developer returns to the office environment.
It would be nice if PMD had a flag or configuration where HTTP-based rulesets were rejected, or fancier mechanisms (such as requiring signed code) were implemented.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4