安全问题 - JMS中不受信任数据的反序列化

时间:2018-04-16 11:04:47

标签: jms deserialization

我正在使用bean在我的Java EE应用程序中发送邮件。我发送邮件的类是通过xDoclet生成的。类代码如下所示

import java.util.Arrays;
import javax.ejb.EJBException;
import javax.ejb.RemoveException;
import javax.jms.JMSException;
import javax.jms.MapMessage;

import com.logger.LoggerFactory;
import com.logger.LoggerInterface;
import com.messaging.MailComponent;
import com.LoggerWithUserId;

/**
 * <!-- begin-xdoclet-definition -->
 * 
 * @ejb.bean name="MessageListener" acknowledge-mode="Auto-acknowledge"
 *           destination-type="javax.jms.Queue"
 * 
 * transaction-type="Container" destination-jndi-name="MessageListener"
 * 
 * @ejb.transaction="Supports"
 * 
 * <!-- end-xdoclet-definition -->
 * @generated
 */

public class MessageListenerBean implements javax.ejb.MessageDrivenBean,
        javax.jms.MessageListener {
    private static final LoggerWithUserId logger=new LoggerWithUserId(MessageListenerBean.class);
    /**
     * <!-- begin-user-doc --> <!-- end-user-doc --> The context for the
     * message-driven bean, set by the EJB container.
     * 
     * @generated
     */
    private javax.ejb.MessageDrivenContext messageContext = null;

    /**
     * Required method for container to set context.
     * 
     * @generated
     */
    public void setMessageDrivenContext(
            javax.ejb.MessageDrivenContext messageContext)
            throws javax.ejb.EJBException {
        this.messageContext = messageContext;
    }

    /**
     * Required creation method for message-driven beans.
     * 
     * <!-- begin-user-doc --> <!-- end-user-doc -->
     * 
     * <!-- begin-xdoclet-definition -->
     * 
     * @ejb.create-method <!-- end-xdoclet-definition -->
     * @generated
     */
    public void ejbCreate() {
        // no specific action required for message-driven beans
    }

    /**
     * Required removal method for message-driven beans. <!-- begin-user-doc -->
     * <!-- end-user-doc -->
     * 
     * @generated
     */
    public void ejbRemove() {
        messageContext = null;
    }



    public static final LoggerInterface LOG = LoggerFactory
            .getLogger(MessageListenerBean.class);

    public void onMessage(javax.jms.Message message)   {
        String i;

        MapMessage mapMsg = (MapMessage) message;
        String toListArray[] = null;
        String ccListArray[] = null;
        String from = null;
        String subject = null;
        String content = null;

        try {
            String toEmailAddress = mapMsg.getString("toAddress");
            String ccEmailAddress = mapMsg.getString("ccAddress");
            from = mapMsg.getString("from");
            subject = mapMsg.getString("subject");
            content = mapMsg.getString("body");
            String tempTo = toEmailAddress.replace("[", "");
            String toStrAddress = tempTo.replace("]", "");
            String tempCC = ccEmailAddress.replace("[", "");
            String ccStrAddress = tempCC.replace("]", "");
            if (!("".equals(toStrAddress))) {
                toListArray = toStrAddress.split(",");
                LOG.debug("To array list is------->" + " " + Arrays.toString(toListArray));

            }
            if (!("".equals(ccStrAddress))) {
                ccListArray = ccStrAddress.split(",");
                LOG.debug("CC array list is------->" + " " + Arrays.toString(ccListArray));
            }
            try {
                MailComponent mailcomp = new MailComponent();
                mailcomp.postMail(toListArray, ccListArray, subject, content,
                        from);
            } catch (Exception e) {
                logger.error("Exception occurred => ", e);
                logger.error("Exception Type =>"+e);
            }
        } catch (JMSException e) {
            throw new EJBException(e);
        } 
    }

    /**
     * 
     */
    public MessageListenerBean() {
        // TODO Auto-generated constructor stub
    }
}

现在,我在checkmarx中遇到了这个类的一些安全问题 - 在JMS中对不受信任的数据进行反序列化在行

String toEmailAddress = mapMsg.getString("toAddress");
            String ccEmailAddress = mapMsg.getString("ccAddress");
            from = mapMsg.getString("from");
            subject = mapMsg.getString("subject");
            content = mapMsg.getString("body");

我无法找到解决问题的方法。请提供建议。

1 个答案:

答案 0 :(得分:0)

将演员表移到try块中,可能会解决checkmarx问题:

MapMessage mapMsg = (MapMessage) message;