如何防止java Object的Reflected XSS

时间:2017-06-20 15:23:06

标签: java xss

我在Checkmarx中扫描了我的项目,并且它显示为一个java对象的Reflected XSS,这是下面方法中的参数,是checkmarx报告的错误:

方法readDataUsingQueryObject在第743行 /src/main/java/com/cognizant/hap/core/controller/DataController.java获取查询元素的用户输入。 然后,此元素的值将流经代码,而不会进行正确的清理或验证 最终在第743行的方法readDataUsingQueryObject中向用户显示 /src/main/java/com/cognizant/hap/core/controller/DataController.java。这可以启用跨站点脚本 攻击。

以下是方法:

c = nums[r][c].second;

以下是班级:

@RequestMapping(value = { "/readGraph/{iLakeId}/{dataPoolName}/{dataspaceName}/{datasetName}" }, headers = "Accept=*/*", method = RequestMethod.POST, produces = "application/json;charset=UTF-8")
    @ResponseBody
    public ResponseEntity<DataLakeGraph> readGraph(
            @ApiParam(name = "iLakeId", value = "int", required = true) @PathVariable int iLakeId,
            @ApiParam(name = "dataPoolName", value = "Datapool name", required = true) @PathVariable String dataPoolName,
            @ApiParam(name = "dataspaceName", value = "Dataspace name", required = true) @PathVariable String dataspaceName,
            @ApiParam(name = "datasetName", value = "Graph Dataset name", required = true) @PathVariable String datasetName,
            @ApiParam(name = "query", value = "Query model", required = true) @RequestBody(required = false) Query query,
            HttpServletResponse servRes) {
      DataLakeGraph dataLake = iLakeService.readGraph(iLakeId,
                    dataPoolName, dataspaceName, datasetName, query);
            return HAPUtil.createResponseEntity(dataLake, HttpStatus.OK);
}

您能否告诉我如何清理或验证方法中参数Query对象?

1 个答案:

答案 0 :(得分:0)

您不会说出您在查询中包含哪些代码行调用DataController.java的第743行。 SAST Checkmarx工具找到了一条路径,用户的查询将在回复中发回,但不在您发布的代码段中。通常,对于反映的跨站点脚本,您应该对可以稍后发送回用户的任何用户输入进行肯定或白名单验证(例如接受已知商品)。用户查询应该是一个众所周知的模式,因此这应该是可能的。

以下是用户输入的完整白名单验证示例,然后是完全匹配(或名册)验证。在这种情况下,这是检查用户输入是马来西亚国家的13个州之一。 mState是用户输入。 

private static final String stateFormatMy = "^[A-Z]{3}$";  // three upppercase alpha characters   
private static final Pattern pattern = Pattern.compile(stateFormatMy);  
public boolean validateStateMy()
{   
    // always check the length of any string before you do any regex operations
    // to protect against ReDoS 
    if(mState.length() != 3)
    {
        System.err.println("State abbreviations in Malaysia are three characters");
        return false;  
    }

    // Whtelist validation ensures three uppercase alpha characters 
    Matcher matcher = pattern.matcher(mState);
    if(!matcher.matches())
    {
        System.err.println("State abbreviations in Malaysia are three uppercase alpha characters");
        return false;  
    }

    // Exact match or roster validation    
    boolean bValid = true; 
    switch(mState)
    {
    case "JHR": break; 
    case "KDH": break;
    case "KTN": break;
    case "MLK": break;
    case "NSN": break;
    case "PHG": break;
    case "PLS": break;
    case "PRK": break;
    case "PNG": break;
    case "SBH": break;
    case "SWK": break;
    case "SGR": break;
    case "TRG": break;
    default:
        System.err.println("The abbreviation does not indicate a state (according to Wikipedia)");
        bValid = false; 
        break;  
    }
    return bValid ;
相关问题
最新问题