Checkmarx – How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan

huangapple go评论89阅读模式
英文:

Checkmarx - How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan

问题

以下是Checkmarx问题的详细信息
不受限的文件上传

源对象:req(行号 - 39)

目标对象:getInputStream(行号 - 41)

public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter
{

    //...
    38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
    39            throws AuthenticationException, IOException, ServletException
    40    {
    41        Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

        return getAuthenticationManager().authenticate(
                new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
    }
    //...
}

请求对象在Checkmarx工具中被突出显示 -

如何正确验证、过滤、转义和/或对用户可控输入进行编码,以通过Checkmarx扫描?

英文:

Following are checkmarx issue details
Unrestricted File Upload

Source Object : req (Line No - 39)

target Object : getInputStream (Line No -41)

    public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter
{

	//...
38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
39            throws AuthenticationException, IOException, ServletException
40    {
41        Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

        return getAuthenticationManager().authenticate(
                new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
    }
	//...
}

request objects get highlighted in checkmarx tool -

How do I properly validate, filter, escape, and/or encode user-controllable input to pass a Checkmarx scan?

答案1

得分: 1

这对我有用 - Checkmarx 通过了这个高漏洞

我使用了 @reflexdemon 和 @tgdavies 的评论

    @Override
    public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
            throws IOException
    {
        int len = req.getContentLength();
        len = Integer.parseInt(Encode.forHtml(String.valueOf(len)));
        String type = req.getContentType();
        type =  Encode.forHtml(type);
        Entitlements creds;
        if(len == INPUT_LENGTH && type.equals(MIMETYPE_TEXT_PLAIN_UTF_8)) {
            creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
        }else{
            creds = new Entitlements();
        }

        return getAuthenticationManager().authenticate(
                new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
    }
英文:

This worked for me - checkmarx pass this high vulnerability

I used combination of @reflexdemon ans and @tgdavies comment

@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
        throws IOException
{
    int len = req.getContentLength();
    len = Integer.parseInt(Encode.forHtml(String.valueOf(len)));
    String type = req.getContentType();
    type =  Encode.forHtml(type);
    Entitlements creds;
    if(len == INPUT_LENGTH && type.equals(MIMETYPE_TEXT_PLAIN_UTF_8)) {
        creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
    }else{
        creds = new Entitlements();
    }

    return getAuthenticationManager().authenticate(
            new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
}

答案2

得分: 1

以下解决方案适用于我的checkmarx扫描。
在存储型xss的情况下,我使用了HtmlUtils.escapeHtmlContent(String)

如果我们想要对@requestbody中使用的bean类进行消毒,我们必须使用

Jsoup.clean(StringEscapeUtils.escapHtml4(objectMapper.writeValueAsString(object)), Whitelist.basic());

这解决了我遇到的checkmarx漏洞问题。

英文:

Below solutions worked for me for checkmarx scan.
In case of stored xss I used HtmlUtils.escapeHtmlContent(String)

In case if we want to sanitize the bean classes used in @requestbody we have to use

Jsoup.clean(StringEscapeUtils.escapHtml4(objectMapper.writeValueAsString(object)), Whitelist.basic());

This has solved the checkmarx vulnerability issues for me

答案3

得分: 0

有时候,我们可以通过一定程度的间接方式来欺骗这个工具。您可以尝试以下方法,看看是否可以解决您的问题,

将:

Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

替换为:

Entitlements creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
英文:

Sometimes, we can trick the tool with a level of indirection. Can you try the below and see if that fixes your problem,

Replace:

Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

With,

Entitlements creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);

答案4

得分: 0

你的代码可以重构成以下形式:

// Negative
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter {

    public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
            throws AuthenticationException, IOException, ServletException {

        if (req.getContentLength() > MAX_REQUEST_SIZE) {
            throw new IOException("请求体大小过大!");
        }

        Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

        return getAuthenticationManager()
                .authenticate(new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
    }

}

你可以使用 getContentLength 作为验证器。虽然默认情况下 CxSAST 9.3 无法检测到此验证器。你可以通过以下文件中的内容覆盖 Java_Low_Visibility/Unrestricted_File_Upload 查询:
https://github.com/checkmarx-ts/CxQL/blob/master/Java/Java_Low_Visibility/Unrestricted_File_Upload.txt

还支持其他验证器,如 getSizegetFileSize。你也可以使用带有 maxRequestSizeMultipartConfig 注解,或在 web.xml 中使用 multipart-configmax-request-size

英文:

You code can be refactored to be like this:

// Negative
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter {

    public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
            throws AuthenticationException, IOException, ServletException {

        if (req.getContentLength() > MAX_REQUEST_SIZE) {
            throw new IOException("request body size too big!");
        }

        Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

        return getAuthenticationManager()
                .authenticate(new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
    }

}

You can use use getContentLength as a validator. While by default CxSAST 9.3 is not able to detect this validator. You can override the Java_Low_Visibility/Unrestricted_File_Upload query by the content from this file:
https://github.com/checkmarx-ts/CxQL/blob/master/Java/Java_Low_Visibility/Unrestricted_File_Upload.txt

Other validators are also supported, getSize, getFileSize. You can also use MultipartConfig annotation with maxRequestSize. Or use multipart-config max-request-size in web.xml.

答案5

得分: -2

似乎扫描器在您的代码中发现了XSS漏洞。

根据OWASP的跨站脚本攻击(XSS)页面

跨站脚本攻击(XSS)是一种注入类型的攻击,恶意脚本被注入到原本是良性且可信任的网站中。XSS攻击发生在攻击者利用Web应用程序向不同的最终用户发送恶意代码时。只要Web应用程序在生成输出时使用了来自用户的输入但未经验证或编码的输入,就可能出现允许这些攻击成功的缺陷。

要深入了解如何避免跨站脚本攻击漏洞,强烈建议查阅OWASP的跨站脚本(XSS)预防备忘单页面。那里列出了一些清理选项,您可以根据特定的编程语言和相关用途进行选择。

祝您好运。

英文:

Seems like the scanner found an XSS vulnerability in your code.

From OWASP's Cross-site Scripting (XSS) page:
> Cross-Site Scripting (XSS) attacks are a type of injection, in which
> malicious scripts are injected into otherwise benign and trusted
> websites. XSS attacks occur when an attacker uses a web application to
> send malicious code, generally in the form of a browser side script,
> to a different end user. Flaws that allow these attacks to succeed are
> quite widespread and occur anywhere a web application uses input from
> a user within the output it generates without validating or encoding
> it.

To learn in-depth how to avoid Cross-site Scripting vulnerabilities, it is very recommended to go over OWASP's XSS (Cross-Site Scripting) Prevention Cheat Sheet page.
There are some sanitizer options listed there, and you can choose according to the specific language and relevant use.

Good luck.

huangapple
  • 本文由 发表于 2020年10月1日 17:45:10
  • 转载请务必保留本文链接:https://go.coder-hub.com/64152836.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定