英文:
Fortify Privacy Violation in ZipOutputStream.write() method
问题
在Fortify代码扫描中,我们在以下Java代码中发现了隐私违规,该代码将byte[]转换为ZipOutputStream,然后再将其转换为另一个byte[]。确切的漏洞行是 zos.write(arr);
private byte[] zipFile(String filename, byte[] arr) throws UnableToZipException, IOException {
try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
ZipOutputStream zos = new ZipOutputStream(baos)) {
ZipEntry entry = new ZipEntry(filename);
entry.setSize(arr.length);
zos.putNextEntry(entry);
zos.write(arr);
zos.closeEntry();
zos.close();
return baos.toByteArray();
} catch (Exception e) {
e.printStackTrace();
}
}
这是否是有效的违规还是误报?我并没有将ZipOutputStream写入本地目录。如果这是一个有效的隐私违规,如何解决?
英文:
In Fortify code scan, we have a privacy violation in below Java code, which converts a byte[] to ZipOutputStream, which is later converted to another byte[]. The exact sink line is zos.write(arr);
private byte[] zipFile(String filename, byte[] arr) throws UnableToZipException, IOException {
try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
ZipOutputStream zos = new ZipOutputStream(baos)) {
ZipEntry entry = new ZipEntry(filename);
entry.setSize(arr.length);
zos.putNextEntry(entry);
zos.write(arr);
zos.closeEntry();
zos.close();
return baos.toByteArray();
} catch (Exception e) {
e.printStackTrace();
}
}
Is it a valid violation or a false positive? I am not writing the ZipOutputStream to the local directory. If it is a valid privacy violation, how to resolve it?
答案1
得分: 1
你不应该孤立地查看这段代码。Fortify扫描还将提供有关数据进入此方法的详细信息。你需要弄清楚传递给该方法的arr参数的值是什么。如果传递的值是私密信息,那么它将显示为隐私违规。
英文:
You shouldn't be looking this code in isolation. Fortify scan will also provide details on from where the data enters to this method. You need to figure out what the value getting passed to this method for arr parameter. If the value getting passed is private information then it will show up as privacy violation.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论