Review MSAL Java samples to identity and fix insecure practices #911
Labels
Fundamentals
For issues focused on Java best practices, industry standards, etc.
Samples
For issues or enhancements related to our samples
Comments
Avery-Dunn
added
Fundamentals
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Recent CodeQL scans found an issue in a file in the msal4j-sdk samples folder: #899
The samples here in the MSAL Java repository are simpler versions of our actual samples and are just meant for to help developers manually test different flows, and since they aren't part of any released package the warnings were suppressed.
However, this flagged code also exists in the real sample: https://github.com/Azure-Samples/ms-identity-msal-java-samples/blob/32f2740e43b88d9251d265f81c2d9e9d5b83ca45/1-server-side/msal-b2c-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java#L30
The real samples should always demonstrate best practices for security, MSAL, Azure, etc., and there are likely more issues like this where the convenience of writing the sample and teaching the main topic was prioritized over teaching secure behavior in general.
The text was updated successfully, but these errors were encountered: