java 如何清理和验证用户输入以通过 Checkmarx 扫描
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31984962/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to sanitize and validate user input to pass a Checkmarx scan
提问by cahen
I have an endpoint that receives a String from the client as seen below:
我有一个端点从客户端接收一个字符串,如下所示:
@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
String y = myService.process(x);
return Response.status(OK).entity(y).build();
}
Checkmarx complains that this element's value then "flows through the code without being properly sanitized or validated and is eventually displayed to the user in method doSomething"
Checkmarx 抱怨这个元素的值然后“在没有被正确清理或验证的情况下流过代码并最终在方法 doSomething 中显示给用户”
Then I tried this:
然后我尝试了这个:
@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
if (StringUtils.trimToNull(x) == null || x.length() > 100) {
throw new RuntimeException();
}
x = x.replace("'", "").replace("`", "").replace("\", "").replace("\"", "")
String y = myService.process(x);
y = y.replace("'", "").replace("`", "").replace("\", "").replace("\"", "")
return Response.status(OK).entity(y).build();
}
But it still considers this a high severity vulnerability.
但它仍然认为这是一个高严重性的漏洞。
How do I properly sanitize or validate to pass a Checkmarx scan?
如何正确消毒或验证以通过 Checkmarx 扫描?
回答by cahen
回答by Jeyaganesh
in .Net framework > 4.0 use AntiXSS
在 .Net 框架 > 4.0 中使用 AntiXSS
AntiXssEncoder.HtmlEncode()
AntiXssEncoder.HtmlEncode()
