Java项目中的Trust Boundary Violation缺陷

时间:2018-08-01 17:40:16

标签: java validation security checkmarx threadcontext

对于以下提到的代码,我在 CheckMarx报告中遇到了违反信任边界的问题。

错误说明-                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  方法“ getResponse”从元素请求获取用户输入。该元素的值在未经适当清理或验证的情况下流经代码,最终以“ parseRequest”方法存储在服务器端 Session对象中。**

代码-

@Context
HttpHeaders httpHeader;

void parseRequest(SomeRequestType inputRequest) {
    HashMap<String, Data> requestData = inputRequest.getRequestData(httpHeader);
    if (requestData != null) {
        if (Strings.isNullOrEmpty(inputRequest.getId())) {
            Data data = requestData.get("data");
            var dataID = data.getID();
            if ((dataID != null) && Pattern.matches("[0-9]+", dataID)) {
                inputRequest.setId(dataID);
                ThreadContext.put("ID", dataID);
            }
        }
    }
}

我在下面的行中遇到了checkmarx漏洞,原因是未经适当的清理或验证

ThreadContext.put("ID", dataID);

请帮助我,如何正确清理上面的行。

1 个答案:

答案 0 :(得分:1)

如果您确定dataID是数字,请立即将其转换为整数/长整数,如下所示:

int dataIDasNumber = Integer.parseInt(dataID);

在这里像int / long一样使用它:

inputRequest.setId(dataIDasNumber);
ThreadContext.put("ID", dataIDasNumber);

那么您不需要这样做:

Pattern.matches...

您的checkmarx违规行为应消失。