英文:
Checkmarx - How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan
问题
以下是Checkmarx问题的详细信息
不受限的文件上传
源对象:req(行号 - 39)
目标对象:getInputStream(行号 - 41)
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter
{
//...
38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
39 throws AuthenticationException, IOException, ServletException
40 {
41 Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);
return getAuthenticationManager().authenticate(
new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
}
//...
}
请求对象在Checkmarx工具中被突出显示 -
如何正确验证、过滤、转义和/或对用户可控输入进行编码,以通过Checkmarx扫描?
英文:
Following are checkmarx issue details
Unrestricted File Upload
Source Object : req (Line No - 39)
target Object : getInputStream (Line No -41)
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter
{
//...
38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
39 throws AuthenticationException, IOException, ServletException
40 {
41 Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);
return getAuthenticationManager().authenticate(
new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
}
//...
}
request objects get highlighted in checkmarx tool -
How do I properly validate, filter, escape, and/or encode user-controllable input to pass a Checkmarx scan?
答案1
得分: 1
这对我有用 - Checkmarx 通过了这个高漏洞
我使用了 @reflexdemon 和 @tgdavies 的评论
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
throws IOException
{
int len = req.getContentLength();
len = Integer.parseInt(Encode.forHtml(String.valueOf(len)));
String type = req.getContentType();
type = Encode.forHtml(type);
Entitlements creds;
if(len == INPUT_LENGTH && type.equals(MIMETYPE_TEXT_PLAIN_UTF_8)) {
creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
}else{
creds = new Entitlements();
}
return getAuthenticationManager().authenticate(
new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
}
英文:
This worked for me - checkmarx pass this high vulnerability
I used combination of @reflexdemon ans and @tgdavies comment
@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
throws IOException
{
int len = req.getContentLength();
len = Integer.parseInt(Encode.forHtml(String.valueOf(len)));
String type = req.getContentType();
type = Encode.forHtml(type);
Entitlements creds;
if(len == INPUT_LENGTH && type.equals(MIMETYPE_TEXT_PLAIN_UTF_8)) {
creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
}else{
creds = new Entitlements();
}
return getAuthenticationManager().authenticate(
new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
}
答案2
得分: 1
以下解决方案适用于我的checkmarx
扫描。
在存储型xss的情况下,我使用了HtmlUtils.escapeHtmlContent(String)
。
如果我们想要对@requestbody
中使用的bean类进行消毒,我们必须使用
Jsoup.clean(StringEscapeUtils.escapHtml4(objectMapper.writeValueAsString(object)), Whitelist.basic());
这解决了我遇到的checkmarx漏洞问题。
英文:
Below solutions worked for me for checkmarx
scan.
In case of stored xss I used HtmlUtils.escapeHtmlContent(String)
In case if we want to sanitize the bean classes used in @requestbody
we have to use
Jsoup.clean(StringEscapeUtils.escapHtml4(objectMapper.writeValueAsString(object)), Whitelist.basic());
This has solved the checkmarx vulnerability issues for me
答案3
得分: 0
有时候,我们可以通过一定程度的间接方式来欺骗这个工具。您可以尝试以下方法,看看是否可以解决您的问题,
将:
Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);
替换为:
Entitlements creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
英文:
Sometimes, we can trick the tool with a level of indirection. Can you try the below and see if that fixes your problem,
Replace:
Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);
With,
Entitlements creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
答案4
得分: 0
你的代码可以重构成以下形式:
// Negative
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter {
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
throws AuthenticationException, IOException, ServletException {
if (req.getContentLength() > MAX_REQUEST_SIZE) {
throw new IOException("请求体大小过大!");
}
Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);
return getAuthenticationManager()
.authenticate(new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
}
}
你可以使用 getContentLength
作为验证器。虽然默认情况下 CxSAST 9.3 无法检测到此验证器。你可以通过以下文件中的内容覆盖 Java_Low_Visibility/Unrestricted_File_Upload 查询:
https://github.com/checkmarx-ts/CxQL/blob/master/Java/Java_Low_Visibility/Unrestricted_File_Upload.txt
还支持其他验证器,如 getSize
、getFileSize
。你也可以使用带有 maxRequestSize
的 MultipartConfig
注解,或在 web.xml
中使用 multipart-config
的 max-request-size
。
英文:
You code can be refactored to be like this:
// Negative
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter {
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
throws AuthenticationException, IOException, ServletException {
if (req.getContentLength() > MAX_REQUEST_SIZE) {
throw new IOException("request body size too big!");
}
Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);
return getAuthenticationManager()
.authenticate(new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
}
}
You can use use getContentLength
as a validator. While by default CxSAST 9.3 is not able to detect this validator. You can override the Java_Low_Visibility/Unrestricted_File_Upload query by the content from this file:
https://github.com/checkmarx-ts/CxQL/blob/master/Java/Java_Low_Visibility/Unrestricted_File_Upload.txt
Other validators are also supported, getSize
, getFileSize
. You can also use MultipartConfig
annotation with maxRequestSize
. Or use multipart-config
max-request-size
in web.xml.
答案5
得分: -2
似乎扫描器在您的代码中发现了XSS漏洞。
根据OWASP的跨站脚本攻击(XSS)页面:
跨站脚本攻击(XSS)是一种注入类型的攻击,恶意脚本被注入到原本是良性且可信任的网站中。XSS攻击发生在攻击者利用Web应用程序向不同的最终用户发送恶意代码时。只要Web应用程序在生成输出时使用了来自用户的输入但未经验证或编码的输入,就可能出现允许这些攻击成功的缺陷。
要深入了解如何避免跨站脚本攻击漏洞,强烈建议查阅OWASP的跨站脚本(XSS)预防备忘单页面。那里列出了一些清理选项,您可以根据特定的编程语言和相关用途进行选择。
祝您好运。
英文:
Seems like the scanner found an XSS vulnerability in your code.
From OWASP's Cross-site Scripting (XSS) page:
> Cross-Site Scripting (XSS) attacks are a type of injection, in which
> malicious scripts are injected into otherwise benign and trusted
> websites. XSS attacks occur when an attacker uses a web application to
> send malicious code, generally in the form of a browser side script,
> to a different end user. Flaws that allow these attacks to succeed are
> quite widespread and occur anywhere a web application uses input from
> a user within the output it generates without validating or encoding
> it.
To learn in-depth how to avoid Cross-site Scripting vulnerabilities, it is very recommended to go over OWASP's XSS (Cross-Site Scripting) Prevention Cheat Sheet page.
There are some sanitizer options listed there, and you can choose according to the specific language and relevant use.
Good luck.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论