问题
I persist a value from user input request. Checkmarx complains there is Trust Boundary Violation.
gets user input from element request. This element’s value flows through the code without being properly sanitized or validated and is eventually stored in the server-side Session object
I also found this post online. The accepted answer is to validate it.
OK, validate and sanitize
private String getValidSearchPath(String searchPath) {
if (!searchPath.matches("^[0-9a-zA-Z]+$")) { //using regex to do validation
throw new RuntimeException("Unacceptable jsonPath " + searchPath);
}
if (StringUtils.isBlank(searchPath)) {
return "";
}
return searchPath.substring(0,0); // I intentionally put 0,0 here, which returns ""
}
...
//pseudo code
String searchPath = getValidSearchPath(request.get(...));
persistSearchPath(searchPath);
Then I run Checkmarx again.
Guess what? I still got Trust Boundary Violation. Can someone tell me how to fix it? I already return empty string and Checkmarx still complains that I am using value from user input improperly.
来源:https://stackoverflow.com/questions/62545939/how-to-fix-checkmarx-trust-boundary-violation