<small id='gJmU3'></small><noframes id='gJmU3'>

  • <tfoot id='gJmU3'></tfoot>
    • <bdo id='gJmU3'></bdo><ul id='gJmU3'></ul>

      1. <legend id='gJmU3'><style id='gJmU3'><dir id='gJmU3'><q id='gJmU3'></q></dir></style></legend>

        <i id='gJmU3'><tr id='gJmU3'><dt id='gJmU3'><q id='gJmU3'><span id='gJmU3'><b id='gJmU3'><form id='gJmU3'><ins id='gJmU3'></ins><ul id='gJmU3'></ul><sub id='gJmU3'></sub></form><legend id='gJmU3'></legend><bdo id='gJmU3'><pre id='gJmU3'><center id='gJmU3'></center></pre></bdo></b><th id='gJmU3'></th></span></q></dt></tr></i><div id='gJmU3'><tfoot id='gJmU3'></tfoot><dl id='gJmU3'><fieldset id='gJmU3'></fieldset></dl></div>

        Checkmarx - 如何验证和清理 HttpServletRequest .getInputStream 以通过 c

        Checkmarx - How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan(Checkmarx - 如何验证和清理 HttpServletRequest .getInputStream 以通过 checkmarx 扫描)
        <tfoot id='ugFkd'></tfoot>
            <bdo id='ugFkd'></bdo><ul id='ugFkd'></ul>

            <small id='ugFkd'></small><noframes id='ugFkd'>

            <i id='ugFkd'><tr id='ugFkd'><dt id='ugFkd'><q id='ugFkd'><span id='ugFkd'><b id='ugFkd'><form id='ugFkd'><ins id='ugFkd'></ins><ul id='ugFkd'></ul><sub id='ugFkd'></sub></form><legend id='ugFkd'></legend><bdo id='ugFkd'><pre id='ugFkd'><center id='ugFkd'></center></pre></bdo></b><th id='ugFkd'></th></span></q></dt></tr></i><div id='ugFkd'><tfoot id='ugFkd'></tfoot><dl id='ugFkd'><fieldset id='ugFkd'></fieldset></dl></div>
              <tbody id='ugFkd'></tbody>

                1. <legend id='ugFkd'><style id='ugFkd'><dir id='ugFkd'><q id='ugFkd'></q></dir></style></legend>

                2. 本文介绍了Checkmarx - 如何验证和清理 HttpServletRequest .getInputStream 以通过 checkmarx 扫描的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

                  问题描述

                  以下是 checkmarx 问题的详细信息无限制的文件上传

                  Following are checkmarx issue details Unrestricted File Upload

                  源对象:req(第 39 行)

                  Source Object : req (Line No - 39)

                  目标对象:getInputStream(第-41行)

                  target Object : getInputStream (Line No -41)

                      public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter
                  {
                  
                      //...
                  38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
                  39            throws AuthenticationException, IOException, ServletException
                  40    {
                  41        Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);
                  
                          return getAuthenticationManager().authenticate(
                                  new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
                      }
                      //...
                  }
                  

                  request 对象在 checkmarx 工具中突出显示 -

                  request objects get highlighted in checkmarx tool -

                  如何正确验证、过滤、转义和/或编码用户可控输入以通过 Checkmarx 扫描?

                  How do I properly validate, filter, escape, and/or encode user-controllable input to pass a Checkmarx scan?

                  推荐答案

                  这对我有用 - checkmarx 通过了这个高漏洞

                  This worked for me - checkmarx pass this high vulnerability

                  我使用了@reflexdemon ans 和@tgdavies 评论的组合

                  I used combination of @reflexdemon ans and @tgdavies comment

                  @Override
                  public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
                          throws IOException
                  {
                      int len = req.getContentLength();
                      len = Integer.parseInt(Encode.forHtml(String.valueOf(len)));
                      String type = req.getContentType();
                      type =  Encode.forHtml(type);
                      Entitlements creds;
                      if(len == INPUT_LENGTH && type.equals(MIMETYPE_TEXT_PLAIN_UTF_8)) {
                          creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
                      }else{
                          creds = new Entitlements();
                      }
                  
                      return getAuthenticationManager().authenticate(
                              new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
                  }
                  

                  这篇关于Checkmarx - 如何验证和清理 HttpServletRequest .getInputStream 以通过 checkmarx 扫描的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

                  本站部分内容来源互联网,如果有图片或者内容侵犯了您的权益,请联系我们,我们会在确认后第一时间进行删除!

                  相关文档推荐

                  Slf4j LoggerFactory.getLogger and sonarqube(Slf4j LoggerFactory.getLogger 和 sonarqube)
                  Security - Array is stored directly(安全性 - 数组直接存储)
                  SonarQube quot;Class Not Foundquot; during Main AST Scan(SonarQube“找不到类在主 AST 扫描期间)
                  Integrate Spock#39;s test with Sonar(将 Spock 的测试与声纳集成)
                  How do I make Hudson/Jenkins fail if Sonar thresholds are breached?(如果违反声纳阈值,我如何让 Hudson/Jenkins 失败?)
                  automatically add curly brackets to all if/else/for/while etc. in a java code-base(自动将大括号添加到 java 代码库中的所有 if/else/for/while 等)
                  • <small id='hzreG'></small><noframes id='hzreG'>

                  • <legend id='hzreG'><style id='hzreG'><dir id='hzreG'><q id='hzreG'></q></dir></style></legend>
                    <i id='hzreG'><tr id='hzreG'><dt id='hzreG'><q id='hzreG'><span id='hzreG'><b id='hzreG'><form id='hzreG'><ins id='hzreG'></ins><ul id='hzreG'></ul><sub id='hzreG'></sub></form><legend id='hzreG'></legend><bdo id='hzreG'><pre id='hzreG'><center id='hzreG'></center></pre></bdo></b><th id='hzreG'></th></span></q></dt></tr></i><div id='hzreG'><tfoot id='hzreG'></tfoot><dl id='hzreG'><fieldset id='hzreG'></fieldset></dl></div>
                      <tbody id='hzreG'></tbody>

                    <tfoot id='hzreG'></tfoot>
                      • <bdo id='hzreG'></bdo><ul id='hzreG'></ul>