英文:
Denial of service:regular expression : fortify pointed out a issue
问题
Hi,我遇到了拒绝服务:正则表达式警告问题,出现在以下代码行:
billingApplicationAcctId = billingApplicationAcctId.replaceAll("\" + s, "");
你可以查看以下代码作为进一步参考:
if (null != formatBillingAcctIdInd && formatBillingAcctIdInd.equals("Y")
&& billingApplicationCode.equalsIgnoreCase(EPWFReferenceDataConstants.BILLING_APPICATION_ID.KENAN.name())) {
Pattern pt = Pattern.compile("[^a-zA-Z0-9]");
Matcher match = pt.matcher(payment.getBillingApplicationAccntId());
while (match.find()) {
String s = match.group();
billingApplicationAcctId = billingApplicationAcctId.replaceAll("\\" + s, "");
}
}
我应该怎么做,而不是使用上面的代码,以便不会触发 Fortify 拒绝服务警告呢?
英文:
Hi i am getting denial of service:regular expressioon warning on the below line
billingApplicationAcctId = billingApplicationAcctId.replaceAll("\" + s, "");
you can see below code for further reference
if (null != formatBillingAcctIdInd && formatBillingAcctIdInd.equals("Y")
&& billingApplicationCode.equalsIgnoreCase(EPWFReferenceDataConstants.BILLING_APPICATION_ID.KENAN.name())) {
Pattern pt = Pattern.compile("[^a-zA-Z0-9]");
Matcher match = pt.matcher(payment.getBillingApplicationAccntId());
while (match.find()) {
String s = match.group();
billingApplicationAcctId = billingApplicationAcctId.replaceAll("\\" + s, "");
}
}
what should i do instead of above code , so i will not get fortify DOS warning
答案1
得分: 0
以下是翻译好的内容:
如果你想摆脱正则表达式的代码,你可以逐个比较输入的字符。只需将以下代码段:
Pattern pt = Pattern.compile("^[a-zA-Z0-9]+$");
Matcher match = pt.matcher(payment.getBillingApplicationAccntId());
while (match.find()) {
String s = match.group();
billingApplicationAcctId = billingApplicationAcctId.replaceAll("\\" + s, "");
}
替换为:
String rawInput = payment.getBillingApplicationAccntId();
StringBuilder sb = new StringBuilder();
for (char c : rawInput.toCharArray()) {
// 只保留英文字母和数字,其余字符丢弃...
if ((c >= 'a' && c <= 'z')
|| (c >= 'A' && c <= 'Z')
|| (c >= '0' && c <= '9')) {
sb.append(c);
}
}
billingApplicationAcctId = sb.toString();
英文:
If you want to go away from your regex code, you can compare the input character-wise. Just replace
Pattern pt = Pattern.compile("[^a-zA-Z0-9]");
Matcher match = pt.matcher(payment.getBillingApplicationAccntId());
while (match.find()) {
String s = match.group();
billingApplicationAcctId = billingApplicationAcctId.replaceAll("\\" + s, "");
}
with:
String rawInput = payment.getBillingApplicationAccntId();
StringBuilder sb = new StringBuilder();
for (char c : rawInput.toCharArray()) {
// any char that is an english letter or 0-9 is included. The rest is thrown away...
if ((c >= 'a' && c <= 'z')
|| (c >= 'A' && c <= 'Z')
|| (c >= '0' && c <= '9')) {
sb.append(c);
}
}
billingApplicationAcctId = sb.toString();
专注分享java语言的经验与见解,让所有开发者获益!
评论