Checkmarx - How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan

那年仲夏 提交于 2021-01-19 06:15:17

问题


Following are checkmarx issue details Unrestricted File Upload

Source Object : req (Line No - 39)

target Object : getInputStream (Line No -41)

    public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter
{

    //...
38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
39            throws AuthenticationException, IOException, ServletException
40    {
41        Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

        return getAuthenticationManager().authenticate(
                new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
    }
    //...
}

request objects get highlighted in checkmarx tool -

How do I properly validate, filter, escape, and/or encode user-controllable input to pass a Checkmarx scan?


回答1:


Sometimes, we can trick the tool with a level of indirection. Can you try the below and see if that fixes your problem,

Replace:

Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

With,

Entitlements creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);



回答2:


This worked for me - checkmarx pass this high vulnerability

I used combination of @reflexdemon ans and @tgdavies comment

@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
        throws IOException
{
    int len = req.getContentLength();
    len = Integer.parseInt(Encode.forHtml(String.valueOf(len)));
    String type = req.getContentType();
    type =  Encode.forHtml(type);
    Entitlements creds;
    if(len == INPUT_LENGTH && type.equals(MIMETYPE_TEXT_PLAIN_UTF_8)) {
        creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
    }else{
        creds = new Entitlements();
    }

    return getAuthenticationManager().authenticate(
            new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
}



回答3:


Seems like the scanner found an XSS vulnerability in your code.

From OWASP's Cross-site Scripting (XSS) page:

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

To learn in-depth how to avoid Cross-site Scripting vulnerabilities, it is very recommended to go over OWASP's XSS (Cross-Site Scripting) Prevention Cheat Sheet page. There are some sanitizer options listed there, and you can choose according to the specific language and relevant use.

Good luck.



来源:https://stackoverflow.com/questions/64152836/checkmarx-how-to-validate-and-sanitize-httpservletrequest-getinputstream-to-p

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!