通过强化工具扫描代码时,出现以下错误:
在CaApiService.java的第64行上,方法initializeBearerAuthorizationValue()将未经验证的输入写入JSON。通过此调用,攻击者可以将任意元素或属性注入JSON实体。
void initializeBearerAuthorizationValue() throws URISyntaxException, BackendException, IOException, ConversionException {
// Request to CA for Security Token
CloseableHttpResponse response = requestAuthenticationToken();
if(response.getStatusLine().getStatusCode() != 200) {
LOGGER.info(IOUtils.toString(response.getEntity().getContent()));
throw new BackendException("CaTechnologies configuration is not configured correctly");
}
// Parse response and return Bearer string to be used in all subsequent requests
String theString = IOUtils.toString(response.getEntity().getContent());
ObjectMapper mapper = new ObjectMapper();
Map map = mapper.readValue(theString, Map.class);
bearerAuthorizationValue = "Bearer " + Base64.encodeBase64String(String.format("{\"tkn\":\"%s\",\"all\":true}",
map.get("tkn")).getBytes());
}
有什么建议吗?