veracode

NoClassDefFoundError encountered while fixing CRLF sequence in HttpHeader

半腔热情 提交于 2021-02-11 12:19:02
问题 After performing Vera code scan on my code, a flaw was reported saying " Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting - CWE ID 113') on the below code. public void writeCookies() { for (final Cookie cookie : cookies) { super.addCookie(cookie); } The flaw code reported is super.addCookie(cookie). To fix this I added below code public void writeCookies() { for (final Cookie cookie : cookies) { cookie.setSecure(true); ESAPI.httpUtilities().addCookie((

Pass Veracode CWE 117 (Improper Output Neutralization for Logs) only with replaceAll(“\r”, “_”).replaceAll(“\n”, “_”)

廉价感情. 提交于 2021-02-10 07:39:27
问题 I read on some forums the myth that it is enough to pass the Veracode CWE 117 (Improper Output Neutralization for Logs) issue by doing something like this. Can somebody confirm if this is the case or not ? message.replaceAll("\r", "_").replaceAll("\n", "_"); From this topic How to fix Veracode CWE 117 (Improper Output Neutralization for Logs) , I understand that I need to do something like this ESAPI.encoder().encodeForHTML(message); 回答1: The message needs to be escaped for the context which

How to Prevent SSRF in .Net

别来无恙 提交于 2021-02-08 11:53:37
问题 I have a web form application and also an Web Api application hosted in different servers. For all CRUD operations the Web Form application uses the API. To call the API from web form app I have created a generic API requesting method using WebRequest Class. Things are working fine but when we scan the code using Veracode I am getting SSRF Server Side Request Forgery issue. I googled and some folks said to add validation to the request uri, I tried all the validations but Veracode is throwing

What is the best way to fix “Improper Restriction of xml external entity reference”?

妖精的绣舞 提交于 2021-02-08 06:18:09
问题 We recently run VeraCode that points out on the following method: public XmlElement RunProcedureXmlElement(string Procedure, List<SqlParameter> Parameters) { DataSet ds = RunProcedureDataSet(Procedure, Parameters); XmlDocument xmlDoc = new XmlDocument(); StringBuilder strXML = new StringBuilder(); foreach (DataTable dt in ds.Tables) { foreach (DataRow dr in dt.Rows) { strXML.Append(dr[0]); // Do I still need .ToString()??? } } if (strXML.Length == 0) strXML.Append("<root total=\"0\"></root>")

How to resolve CWE 117 Issue

大憨熊 提交于 2021-02-05 06:22:26
问题 I have a CWE 117 issue reported in my Product. CWE 117 issue is that the software does not properly sanitize or incorrectly sanitizes output that is written to logs and one possible solution i got was to add the following while logging. String clean = args[1].replace('\n', '_').replace('\r', '_'); log.info(clean); My question is whether there is any central place in log4j where a single change can solve this issue? 回答1: It is the Layout that is responsible for serializing the log message, and

Unable to fix veracode cwe id 918 flaw (SSRF) when using API gateway pattern in a Microservices architecture

ε祈祈猫儿з 提交于 2021-01-28 09:02:39
问题 I am using API Gateway Pattern in a Micro services architecture in which the Front End Angular app makes an HTTP request to my API Gateway project which is simply a ASP.net Core 3.1 Web API project. Currently I only have 2 micro services and an API Gateway and all of them are of type ASP.net Core 3.1 Web API project. The API Gateway project has all the controllers of my micro services . The purpose of the API Gateway is just to receive the request from Front end and make an HTTP Request to

Unable to rectify VeraCode CWE ID 918 - (SSRF) in ASP.NET

会有一股神秘感。 提交于 2020-07-19 04:20:23
问题 Long story short, no matter what I try VeraCode continues to flag 8 lines of my code as flaws with CWE 918. This is old code so I'm not sure why it's suddenly being flagged. Here's an example [offending] method with the flagged line in bold public virtual async Task<HttpResponseMessage> Put(string controller = "", Dictionary<string, object> parameters = null, object body = null) { if (string.IsNullOrWhiteSpace(ApiBaseUrl)) return null; HttpResponseMessage response = null; using (var client =