在ZipOutputStream.write()方法中加强隐私违规防护

huangapple go评论78阅读模式
英文:

Fortify Privacy Violation in ZipOutputStream.write() method

问题

在Fortify代码扫描中,我们在以下Java代码中发现了隐私违规,该代码将byte[]转换为ZipOutputStream,然后再将其转换为另一个byte[]。确切的漏洞行是 zos.write(arr);

private byte[] zipFile(String filename, byte[] arr) throws UnableToZipException, IOException {
    try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
            ZipOutputStream zos = new ZipOutputStream(baos)) {
        ZipEntry entry = new ZipEntry(filename);
        entry.setSize(arr.length);
        zos.putNextEntry(entry);
        zos.write(arr);
        zos.closeEntry();
        zos.close();
        return baos.toByteArray();
    } catch (Exception e) {
        e.printStackTrace();
    }
}

这是否是有效的违规还是误报?我并没有将ZipOutputStream写入本地目录。如果这是一个有效的隐私违规,如何解决?

英文:

In Fortify code scan, we have a privacy violation in below Java code, which converts a byte[] to ZipOutputStream, which is later converted to another byte[]. The exact sink line is zos.write(arr);

private byte[] zipFile(String filename, byte[] arr) throws UnableToZipException, IOException {
	try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
			ZipOutputStream zos = new ZipOutputStream(baos)) {
		ZipEntry entry = new ZipEntry(filename);
		entry.setSize(arr.length);
		zos.putNextEntry(entry);
		zos.write(arr);
		zos.closeEntry();
		zos.close();
		return baos.toByteArray();
	} catch (Exception e) {
		e.printStackTrace();
	}
}

Is it a valid violation or a false positive? I am not writing the ZipOutputStream to the local directory. If it is a valid privacy violation, how to resolve it?

答案1

得分: 1

你不应该孤立地查看这段代码。Fortify扫描还将提供有关数据进入此方法的详细信息。你需要弄清楚传递给该方法的arr参数的值是什么。如果传递的值是私密信息,那么它将显示为隐私违规。

英文:

You shouldn't be looking this code in isolation. Fortify scan will also provide details on from where the data enters to this method. You need to figure out what the value getting passed to this method for arr parameter. If the value getting passed is private information then it will show up as privacy violation.

huangapple
  • 本文由 发表于 2020年7月28日 23:05:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/63137247.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定