veracode

问题 I am getting a Veracode Information Exposure via Sent Data flaw. My code is: String companyName = System.getProperty(EPMIConstants.COMPANY_NAME); This System.getProperty(EPMIConstants.COMPANY_NAME) gets its value from a JVM argument hardcoded in the server itself. The variable companyName causes this flaw. Can someone please tell me how to avoid this flaw? 回答1: I would recommend you to create a rule exception in Veracode so the false positive is not highlighted anymore. Fabio 回答2: Have a look

问题 I have an application where I could customize HTML templates depending on requirement of client. It has a provision of including CSS style scripts when creating a template which would be injected at the end when generating the template. By this way, client/support person could dynamically generate variety of HTML templates. But when I give this project for a security scan, all the CSS injections are detected as security vulnerabilities (XSS Injections). My Application itself designed based on

问题 Ok, so I am using ServiceStack OrmLite for my data needs in my Web API. When I submitted my code to VeraCode for code security scanning and verification the result report showed that OrmLite shows potential SQL Injection attack vectors. ServiceStack.OrmLite.dll GridReader DapperMultiple(System.Data.IDbConnection, string, object, System.Data.IDbTransaction,System.Nullable<int>, System.Nullable<System.Data.CommandType>) ServiceStack.OrmLite.dll int ExecuteCommand(System.Data.IDbConnection,

问题 I've just completed my first Veracode static scan of an asp.net mvc web application, and Veracode found dozens of CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page flaws. Nearly all of them involve the use of the jquery html() method. Our pattern is to make a $.ajax() call in javascript, and in the success event display the results of the $.ajax call in an html element, like so: success: function(data) { $('#elementid').html(data); } In most cases these $.ajax() calls

问题 After R&D i didn't solution to this.Please find below piece of code and help me with this veracode flaw. Response.AppendHeader("Content-Disposition"," attachment; filename = " + Session["user_id"] + "_makler.pdf"); DESCRIPTION - A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks. 回答1: You can

问题 I have inherited a legacy application and there is a snippet of code given below. private static void printKeywordCheckboxes(JspWriter out, ArrayList words, int type) throws IOException { LogbookKeyword thisWord; Iterator iterWord = words.iterator(); while (iterWord.hasNext()) { thisWord = (LogbookKeyword) iterWord.next(); out.println(" <input type=\"checkbox\" name=\"keywordCheckbox" + type + "\" value=\"" + thisWord.hashCode() + "\" checked/>" + thisWord.getWord() + "<br>"); } } Veracode is

问题 I ran Veracode scan on my project and it gave me CWE ID 113 issue under HTTP response splitting. I tried to resolve the issue with there recommendations but it did not work. e.g. try { String selNhid = req.getParameter("selNhid"); String redirectURL = "/nhwhoods?action=membersNH&selNhid="+selNhid; res.sendRedirect(req.getContextPath() + redirectURL); } catch (Exception e) { e.printStackTrace(); } above code is from one of the file. And report showing error at line res.sendRedirect(req

问题 Current code in my project is shown below and Veracode reports there is an OS command injection filename = Regex.Replace(filename, "[^a-zA-Z0-9_]", "_") & ".svg" ProcessStartInfo startInfo = default(ProcessStartInfo); Process pStart = new Process(); startInfo = new ProcessStartInfo(myExecutedFilePath, "\"" + filename + "\" --export-pdf=\"" + filename + "\""); **//OS command injection raises at this line** pStart.StartInfo = startInfo; pStart.Start(); pStart.WaitForExit(); So, I research the

问题 I am new to ESAPI and I have added esapi-2.0.1 jar to my Android app,was able to call any of the ESAPI methods.However, I am getting Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource Error.My concern is it possible to use ESAPI for any android apps and if Yes then where to locate ESAPI.properties in an App. Any help would be appreciated. PS:This is my first question on stackoverflow.com pardon me if I did not follow any of the rules .

问题 I have the following php code <?php $Output = '<table><thead><tr>'; $Output .= '<th>Display</th></tr></thead><tbody>'; for ($k = 0; $k < count($ColumnsInSQL); $k++) { $Output .= '<tr><td>'.$KS_ResultSet_level[$k][strtoupper(trim($ColumnsInSQL[$k]))].'</td></tr>'; } $Output .= '</tbody></table>'; echo $Output; ?> Recently I run the code in Veracode and I am getting issue with "echo $Output;" . Can anyone please help me to fix this? 回答1: Use htmlentities() to encode special characters in the