Veracode扫描报告Springboot应用程序代码中存在一种中等风险。它是与不可信数据反序列化(CWE ID 502)相关的封装缺陷。希望这里的专家能为您提供帮助。
searchReqStr是请求中的JSON字符串。 Vecacode在objectMapper.readValue行上抱怨。
try {
eventSearchFields =
objectMapper.readValue(searchReqStr,EventSearchFields.class);
} catch (IOException e) {
....
}
EventSearchFields类字段都是私有的
public class EventSearchFields implements Serializable{
private static final long serialVersionUID = 2373607xxxxx;
@JsonProperty("searchCriteria")
private List<EventSearchCriteria> searchCriteria = new ArrayList<>();
public List<EventSearchCriteria> getSearchCriteria() {
return searchCriteria;
}
public void setSearchCriteria(List<EventSearchCriteria> searchCriteria)
{
this.searchCriteria = searchCriteria;
}
}
public class EventSearchCriteria implements Serializable{
private static final long serialVersionUID = -624493860290016xxxxx;
@JsonProperty("searchFieldName")
private String searchFieldName;
@JsonProperty("searchFieldValue")
private transient List<?> searchFieldValue = new ArrayList<>();
public String getSearchFieldName() {
return searchFieldName;
}
public void setSearchFieldName(String searchFieldName) {
this.searchFieldName = searchFieldName;
}
public List<?> getSearchFieldValue() {
return new ArrayList<>(searchFieldValue);
}
public void setSearchFieldValue(List<?> searchFieldValue) {
this.searchFieldValue = searchFieldValue;
我的猜测是,我在EventSearchCriteria中对searchFieldValue使用通配符“?”,因为它可以是List(如果为String)或Map列表,请参见下面的示例请求。它工作正常,是否会导致此Veracode扫描问题?
搜索请求json字符串
{
"searchCriteria": [
{
"searchFieldName":"keys",
"searchFieldValue":[
{ "searchFieldName":"bNumber",
"searchFieldValue":["11"]
},
{
"searchFieldName":"pNumber",
"searchFieldValue":["22"]
},
{
"searchFieldName":"id",
"searchFieldValue":["BBB"]
}
]
},
{
"searchFieldName":"unit",
"searchFieldValue":["aa","bb"]
}
]
}
我试图更改“?”对“对象”,但没有运气。欢迎提出建议,以帮助我通过Veracode扫描。