Question

我已经对我的项目进行了检查标记安全检查，并且对于行＆＃34; cstmt.execute（）;＆＃34;进行了A2-Broken认证和会话管理。据我所知，它向我展示了owasp提到的前10名中的一个漏洞。

需要帮助才能了解我的代码有什么问题以及如何解决这个问题。

public int editUser(UserBean userParams) throws CustomException{

        String query = DbConstants.EDITUSER_PROC;
        Connection con = null;
        CallableStatement cstmt=null;
        OracleConnection oracleConnection = null;
        ARRAY arrayToPass =null;
        int status = 0;
        String cntrctId = null;
        String keyAcc = null;
        String roles = null;
        String pnl = null;

        if(!"Y".equals(userParams.getAllContrctFlag())){
            cntrctId = Arrays.toString(userParams.getContractId().toArray()).replace("[", "").replace("]", "").trim();
            keyAcc = Arrays.toString(userParams.getKeyAcName().toArray()).replace("[", "").replace("]", "").trim();
        }

        roles = Arrays.toString(userParams.getUserRole().toArray()).replace("[", "").replace("]", "").trim();
        pnl = Arrays.toString(userParams.getDefaultPnl().toArray()).replace("[", "").replace("]", "").trim();

        logger.debug("Edit User cntrctId,KeyAcc, roles : "+cntrctId+"\n"+keyAcc+"\n"+roles);

        try {
            con = jdbcTemplate.getDataSource().getConnection();

            if(con.isWrapperFor(OracleConnection.class)){
                oracleConnection =con.unwrap(OracleConnection.class);                     
                ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",oracleConnection);
                arrayToPass = new ARRAY(ad, oracleConnection, userParams.getWidgets().toArray());
            }else{
                ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",con);
                arrayToPass = new ARRAY(ad, con, userParams.getWidgets().toArray());
            }

            cstmt = con.prepareCall(query);
            cstmt.setString(1, userParams.getSso());
            cstmt.setString(2, roles);
            cstmt.setString(3, userParams.getUserType());
            cstmt.setString(4, keyAcc);
            cstmt.setString(5, cntrctId);
            cstmt.setString(6, userParams.getAdminSso());
            cstmt.setString(7, pnl);
            cstmt.setString(8, userParams.getAllContrctFlag());
            cstmt.setObject(9, arrayToPass);
            cstmt.execute();
            status = 1;
        }catch(Exception ex){
            logger.error("Error while getting Edit User ---> "+ex.getMessage());
            status = 0;
            throw new CustomException(ex.getMessage());
        }finally{
            if(cstmt != null){
                try {
                    cstmt.close();
                } catch (SQLException se) {
                    logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
                }
            }
            if(con != null){
                try {
                    con.close();
                } catch (SQLException se) {
                    logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
                }
            }
        }
        return status;
    }

上面的方法出现在DAO层，并由服务级别的另一个方法调用，该方法接受REST调用并输入为JSON，将JSON转换为Userbean对象并作为参数传递给editUser

如何修复A2-Broken认证和会话管理警告？

0 个答案: