本文介绍了如何清理和验证用户输入以通过Checkmarx扫描的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个从客户端接收字符串的端点,如下所示:
I have an endpoint that receives a String from the client as seen below:
@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
String y = myService.process(x);
return Response.status(OK).entity(y).build();
}
Checkmarx抱怨说,此元素的值然后流经代码而没有经过适当的消毒或验证,并最终在方法doSomething中显示给用户
Checkmarx complains that this element’s value then "flows through the code without being properly sanitized or validated and is eventually displayed to the user in method doSomething"
然后我尝试了此操作:
@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
if (StringUtils.trimToNull(x) == null || x.length() > 100) {
throw new RuntimeException();
}
x = x.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
String y = myService.process(x);
y = y.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
return Response.status(OK).entity(y).build();
}
但它仍然认为这是一个严重漏洞。
But it still considers this a high severity vulnerability.
如何正确清理或验证通过Checkmarx扫描?
How do I properly sanitize or validate to pass a Checkmarx scan?
推荐答案
from spring-web
用以下方法完成了工作:
HtmlUtils from spring-web
got the job done with:
HtmlUtils.htmlEscape(x)
Maven依赖项:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>5.1.7.RELEASE</version>
</dependency>
这篇关于如何清理和验证用户输入以通过Checkmarx扫描的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!