我有一个应用程序,该应用程序的帮助页面上方带有一个水平菜单。
一旦用户单击菜单中的Help链接,就会调用以下控制器,并将用户带到一个页面,该页面不属于我当前的应用程序,而是属于组织内另一个部门拥有的另一个应用程序的一部分。 / p>
为了解决此问题,我添加了一个新方法isValidSite(),并添加了一些检查以验证网址,以期Fortify将不再抱怨它,但没有运气。
请指导。
强化S3错误:
The file HelpController.java passes unvalidated data to an HTTP redirect function on line 26: return "redirect:" + helpUrl;.
Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.
HelpController.java
@Controller
@RequestMapping("/help.htm")
public class HelpController {
private static String helpUrl = "http://some.other.app.within.my.org/help-page.html";
private static Logger log = Logger.getLogger("HelpController.class");
@RequestMapping(method = RequestMethod.GET)
protected String handleRequestInternal(HttpServletRequest request, HttpServletResponse response) {
if (isValidSite()) {
log.info("Redirecting to: " + helpUrl);
return "redirect:" + helpUrl;
}
log.error("URL should have my.org within it: " + helpUrl);
return "errors/runtime-error";
}
//ADDED THIS TO FIX THE FORTIFY SCAN ISSUE, BUT NO LUCK :(
private boolean isValidSite() {
return StringUtils.isNotBlank(helpUrl) && helpUrl.contains("my.org");
}
}