我有以下代码,并且在copyMessages()中遇到资源注入问题。
我不知道如何解决该问题?
Abstract: Attackers are able to control the resource identifier argument to copyMessages() at MailboxProcessorServiceImpl.java line 77, which could enable them to access or modify otherwise protected system resources.
FileName:
LineNo: 77
Sink: javax.mail.Folder.copyMessages()
Folder inboxFolder = mailUtil.openFolder(store, "INBOX");
Folder processedFolder = mailUtil.openFolder(store, "Processed");
try {
Flags flaggedFlags = new Flags(Flags.Flag.FLAGGED);
Flags deletedFlags = new Flags(Flags.Flag.DELETED);
Message[] msgs = inboxFolder.search(new FlagTerm(flaggedFlags, false));
log.info("# of new Emails received: " + Integer.toString(msgs.length));
if (msgs.length > 0) {
for (Message msg : msgs) {
log.info(msg.getSubject());
Map<String, InputStream> mis = getAttachments(msg);
if (!CollectionUtils.isEmpty(mis))
saveAndProcessAttachment(mis, msg);
Message[] processedMsgs = { msg };
if (processedMsgs.length > 0) {
inboxFolder.copyMessages(processedMsgs, processedFolder);
}
msg.setFlags(deletedFlags, true);
}
}
inboxFolder.close(true);
processedFolder.close();
答案 0 :(得分:0)
我不确定我是否理解该投诉,但也许是在指出攻击者可以发送任意消息,然后将其复制到处理后的文件夹中吗?如果消息很大,可能会耗尽资源。