<?xml version="1.0" encoding="UTF-8"?> <FindBugsFilter> <Match> <!-- only redirects to internal addresses --> <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/> <Method name="performRedirectToItself" /> <Bug pattern="UNVALIDATED_REDIRECT" /> </Match> <Match> <!-- only redirects to internal addresses --> <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/> <Method name="forwardToErrorHandler" /> <Bug pattern="UNVALIDATED_REDIRECT" /> </Match> <Match> <!-- the ErrorToken is only single-used as same as a CSRF token --> <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> <Method name="errorHandling" /> <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> </Match> <Match> <!-- the ErrorToken is only single-used as same as a CSRF token --> <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> <Method name="errorRedirect" /> <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" /> </Match> <Match> <!-- Only used to evaluate expressions from pre-compiled process-flows --> <OR> <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/> <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/> </OR> <Bug pattern="SPEL_INJECTION" /> </Match> <Match> <!-- URL will be only generated from configuration path--> <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/> <Bug pattern="PATH_TRAVERSAL_IN" /> </Match> <Match> <!-- Logging of request parameters is allowed for this classes --> <OR> <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/> <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/> <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/> </OR> <Bug pattern="CRLF_INJECTION_LOGS" /> </Match> </FindBugsFilter>