Fortify: 资源注入

huangapple go评论138阅读模式
英文:

Fortify : Resource Injection

问题

我有以下的代码,并且在copyMessages()函数处遇到了资源注入的问题。<br>
我不知道如何修复这个问题。

摘要:攻击者可以控制位于MailboxProcessorServiceImpl.java第77行的copyMessages()函数的资源标识符参数,这可能使他们能够访问或修改受保护的系统资源。
文件名:
行号:77
漏洞:javax.mail.Folder.copyMessages()
Folder inboxFolder = mailUtil.openFolder(store, "INBOX");
Folder processedFolder = mailUtil.openFolder(store, "Processed");
try {
    Flags flaggedFlags = new Flags(Flags.Flag.FLAGGED);
    Flags deletedFlags = new Flags(Flags.Flag.DELETED);
    Message[] msgs = inboxFolder.search(new FlagTerm(flaggedFlags, false));
    log.info("# of new Emails received: " + Integer.toString(msgs.length));
    if (msgs.length > 0) {
        for (Message msg : msgs) {
            log.info(msg.getSubject());
            Map<String, InputStream> mis = getAttachments(msg);
            if (!CollectionUtils.isEmpty(mis))
                saveAndProcessAttachment(mis, msg);

            Message[] processedMsgs = { msg };
            if (processedMsgs.length > 0) {
                inboxFolder.copyMessages(processedMsgs, processedFolder);
            }
            msg.setFlags(deletedFlags, true);
        }
    }
    inboxFolder.close(true);
    processedFolder.close();
}
英文:

I have the following code and I am getting the Resource injection issue at the copyMessages().<br>
I don't know how to fix the issue?

Abstract: Attackers are able to control the resource identifier argument to copyMessages() at MailboxProcessorServiceImpl.java line 77, which could enable them to access or modify otherwise protected system resources. 
FileName: 
LineNo: 77
Sink: javax.mail.Folder.copyMessages() 
Folder inboxFolder = mailUtil.openFolder(store, &quot;INBOX&quot;);
		Folder processedFolder = mailUtil.openFolder(store, &quot;Processed&quot;);
		try {

			Flags flaggedFlags = new Flags(Flags.Flag.FLAGGED);
			Flags deletedFlags = new Flags(Flags.Flag.DELETED);
			Message[] msgs = inboxFolder.search(new FlagTerm(flaggedFlags, false));
			log.info(&quot;# of new Emails received: &quot; + Integer.toString(msgs.length));
			if (msgs.length &gt; 0) {
				for (Message msg : msgs) {
					log.info(msg.getSubject());
					Map&lt;String, InputStream&gt; mis = getAttachments(msg);
					if (!CollectionUtils.isEmpty(mis))
						saveAndProcessAttachment(mis, msg);

					Message[] processedMsgs = { msg };
					if (processedMsgs.length &gt; 0) {
						inboxFolder.copyMessages(processedMsgs, processedFolder);
					}
					msg.setFlags(deletedFlags, true);
				}
			}
			inboxFolder.close(true);
			processedFolder.close();

答案1

得分: 1

我认为资源注入问题是由于参数 'store' 导致的。它将确定 processedMsg 将存储在的资源位置。而且似乎这个参数是从不受信任的来源获取的。也许是从请求参数中获取的?

所以想象一下,如果有人给你 'store' 参数,比如 "../../somewere"。用户可以使用任何 REST 客户端来执行,不仅限于您的前端应用程序,它根本不会阻止这种操作。

  • 这会跳转到上级父目录并将消息放在 '/somewere/Processed' 下吗?
  • 这个功能是否可以代表您用来运行服务器的用户,覆盖一些重要的系统文件?
  • 如果 'store' 预期包含用户可以轻易猜到的字符串,他能否通过欺骗来提供错误的 'store' 参数?例如,如果 'store' 实际上是用户名。(您可以给出一些 'store' 包含的示例。)

通常情况下,您应该从受信任的来源获取位置,或者对输入参数进行清理,并告诉扫描工具您已经进行了清理。例如,只允许包含字母数字字符。

这对您有帮助吗?

英文:

I think the resource injection issue is reported because of the parameter 'store'. It is going to determine the resource location where your processedMsg will be stored. And it seems that this parameter is taken from not trusted source. Maybe from a request parameter?

So imagine someone give you the 'store' parameter like "../../somewere". User can use whatever rest client to do it, not only your front end application that would never allow it.

  • Will this go to parent of the parent directory and put the message to '/somewere/Processed'?
  • Can this feature overwrite some of the important system files on behalf of the user you use to run the server?
  • If the 'store' is expected to contain a string that user can easily guess, can he just trick it giving wrong 'store' as a parameter? For example if store is actually the username. (You can tell some example what 'store' contains.)

Typically you should either take the location from a trusted source, or to sanitize the input parameter and tell the scanning tool you have sanitized it. For example allowing only alphanumeric characters.

Was this helpfull?

答案2

得分: 0

我不确定我理解那个抱怨,但也许它在指出攻击者可以发送任意消息,然后该消息会被复制到processedFolder中?如果消息很大,可能会耗尽资源。

英文:

I'm not sure I understand that complaint but perhaps it's noting that the attacker could send an arbitrary message which would then get copied to the processedFolder? If the message is large, it could exhaust resources.

huangapple
  • 本文由 发表于 2020年4月10日 22:04:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/61141966.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定