英文:
Veracode CWE 501 Flaw Trust Boundary Violation In JSP File
问题
我在类似于 session.setAttribute(var1, var2) 的代码行中收到了 Veracode 缺陷 CWE ID 501。我已经尝试了不同的方法来解决这个问题,但是无法修复这个问题。我尝试过的方法如下:
- 我使用了一个字符串字面值,并将 var1 放入其中。最后,我在那个有漏洞的行中使用了那个字符串。
- 根据不同博客中的建议,我尝试了正则表达式进行输入验证,例如 pattern.matches("[0-9A-Fa-f]+")。
- 我还使用了 ESAPI 进行输入验证。
- 此外,我已经检查了 var1 的值,只有在它为 null 的情况下,我才将值设置到 var1 中的 var2。
在尝试了上述所有场景之后,我仍然在 Veracode 中收到 501 信任边界违规问题。有人可以帮忙吗?是否有其他方法可以欺骗 Veracode 的静态扫描来解决这个问题?请回复。提前致谢。
英文:
I am getting veracode flaw cwe id 501 on the line like session.setAttribute(var1,var2). I have already tried different ways to resolve it but unable to fix this issue. The ways which I have tried are following-
- I have used a String literal and passed var1 into it. Finally I have used that String in that vulnerable line.
- As per the suggestion given in the different blogs I have tried regex for input validation like pattern.matches("[0-9A-Fa-f]+").
- I have also used ESAPI for input validation.
- Moreover, I have checked the value of var1 and only if it is null I have set value to var2 into var1.
After trying all the above mentioned scenarios I am still getting 501 trust boundary violation issue in veracode. Can anybody please help me on that? Is there any other way to make fool veracode static scan for this issue? Please reply. Thanks in advance.
答案1
得分: 0
错误描述在Veracode中:
这个对javax.servlet.http.HttpSession.setAttribute()的调用在同一个数据结构中混合了可信和不可信的数据,从而鼓励程序员错误地信任未经验证的数据。setAttribute()的第一个参数包含来自变量PDTYPE的污染数据。这些污染数据源自早前对javax.servlet.ServletRequest.getParameterNames的调用。
英文:
Error description in veracode-
This call to javax.servlet.http.HttpSession.setAttribute() mixes trusted and untrusted data in the same data structure, thereby encouraging programmers to mistakenly trust unvalidated data. The first argument to setAttribute() contains tainted data from the variable PDTYPE. The tainted data originated from an earlier call to javax.servlet.ServletRequest.getParameterNames.
专注分享java语言的经验与见解,让所有开发者获益!
评论