Checkmarx-如何验证和清理HttpServletRequest .getInputStream以通过checkmarx扫描 [英] Checkmarx - How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan

问题描述

以下是checkmarx问题的详细信息无限制的文件上传

Following are checkmarx issue details Unrestricted File Upload

源对象:req(第39行)

Source Object : req (Line No - 39)

目标对象:getInputStream(行号-41)

target Object : getInputStream (Line No -41)

    public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter
{

    //...
38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
39            throws AuthenticationException, IOException, ServletException
40    {
41        Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

        return getAuthenticationManager().authenticate(
                new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
    }
    //...
}

请求对象在checkmarx工具中突出显示-

request objects get highlighted in checkmarx tool -

如何正确验证，过滤，转义和/或编码用户可控制的输入以通过Checkmarx扫描?

How do I properly validate, filter, escape, and/or encode user-controllable input to pass a Checkmarx scan?

推荐答案

有时，我们可以使用间接级别的技巧来欺骗该工具.您可以尝试下面的方法，看看是否可以解决您的问题，

Sometimes, we can trick the tool with a level of indirection. Can you try the below and see if that fixes your problem,

替换:

Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

使用

Entitlements creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);

这篇关于Checkmarx-如何验证和清理HttpServletRequest .getInputStream以通过checkmarx扫描的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！