本文介绍了如何清理和验证用户输入以通过Checkmarx扫描的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个从客户端接收字符串的端点,如下所示:

I have an endpoint that receives a String from the client as seen below:

@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
    String y = myService.process(x);
    return Response.status(OK).entity(y).build();
}

Checkmarx抱怨说,此元素的值然后流经代码而没有经过适当的消毒或验证,并最终在方法doSomething中显示给用户

Checkmarx complains that this element’s value then "flows through the code without being properly sanitized or validated and is eventually displayed to the user in method doSomething"

然后我尝试了此操作:

@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
    if (StringUtils.trimToNull(x) == null || x.length() > 100) {
        throw new RuntimeException();
    }
    x = x.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
    String y = myService.process(x);
    y = y.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
    return Response.status(OK).entity(y).build();
}

但它仍然认为这是一个严重漏洞。

But it still considers this a high severity vulnerability.

如何正确清理或验证通过Checkmarx扫描?

How do I properly sanitize or validate to pass a Checkmarx scan?

推荐答案

from spring-web 用以下方法完成了工作:

HtmlUtils from spring-web got the job done with:

HtmlUtils.htmlEscape(x)

Maven依赖项:

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-web</artifactId>
    <version>5.1.7.RELEASE</version>
</dependency>

这篇关于如何清理和验证用户输入以通过Checkmarx扫描的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

06-24 13:16