本文介绍了API滥用-安全漏洞问题MVC APP的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

Fortify 有工具报告了API 滥用 - 批量分配:不安全的 Binder 配置";对于以下代码,我感谢有人帮助识别以下代码中的安全漏洞.以下代码用于在全局上下文中创建应用程序会话,我们是否有其他最佳方法可以使用 OWASP 标准实现相同的会话

Fortify has tool has reported a "API Abuse - Mass Assignment: Insecure Binder Configuration" for below code I appreciate someone's help to identify the security flaws in the below code. The below code is used to create an Application session in global context, Do we have any other best approach to achieve the same session with OWASP standard

public class SessionKeys
{
    public const string AppHistory = "my_History ";
}

public class AppSession : IAppSession
{
    public AppHistoryViewModel AppHistory
    {
        get
        {
            AppHistoryViewModel appHistory  = null;

            if ((HttpContext.Current != null) && (HttpContext.Current.Session[SessionKeys.AppHistory] != null))
            {
                appHistory  = HttpContext.Current.Session[SessionKeys.AppHistory] as AppHistoryViewModel;
            }

            return appHistory;
        }
        set
        {
            if (HttpContext.Current != null)
            {
                HttpContext.Current.Session[SessionKeys.AppHistory] = value;
            }
        }
    }
}

[UserProfileAuthorizationFilter(Order = 0)]
public class MyController : BaseController
{
    #region Setter Injection

    private IAppSession _appSession;

    public IAppSession AppSession
    {
        get { return _appSession ?? (_appSession = new AppSession()); }
        set
        {
            if (_appSession == null)
            {
                _appSession = value;
            }
        }
    }

    #endregion
}

谢谢!!

推荐答案

从 AppHistoryViewModel 中删除 setter 属性后,它起作用了.

After removing setter property from AppHistoryViewModel it worked.

我从代码中删除了以下几行,在 sonarQube 报告中看不到漏洞

I removed below set of lines from the code and I can see no longer Vulnerability in sonarQube report

 set
        {
            if (HttpContext.Current != null)
            {
                HttpContext.Current.Session[SessionKeys.AppHistory] = value;
            }
        }

这篇关于API滥用-安全漏洞问题MVC APP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-30 18:27