如何修复 A2-Broken Authentication 和 Session Management 警告?
How to fix A2-Broken Authentication and Session Management Warning?
我对我的项目进行了 运行 复选标记安全检查,并收到了 A2-Broken Authentication and Session Management warring for line "cstmt.execute();"
我知道它向我展示了 owasp 提到的前 10 个漏洞之一。
需要帮助来理解我的代码有什么问题以及如何解决这个问题。
public int editUser(UserBean userParams) throws CustomException{
String query = DbConstants.EDITUSER_PROC;
Connection con = null;
CallableStatement cstmt=null;
OracleConnection oracleConnection = null;
ARRAY arrayToPass =null;
int status = 0;
String cntrctId = null;
String keyAcc = null;
String roles = null;
String pnl = null;
if(!"Y".equals(userParams.getAllContrctFlag())){
cntrctId = Arrays.toString(userParams.getContractId().toArray()).replace("[", "").replace("]", "").trim();
keyAcc = Arrays.toString(userParams.getKeyAcName().toArray()).replace("[", "").replace("]", "").trim();
}
roles = Arrays.toString(userParams.getUserRole().toArray()).replace("[", "").replace("]", "").trim();
pnl = Arrays.toString(userParams.getDefaultPnl().toArray()).replace("[", "").replace("]", "").trim();
logger.debug("Edit User cntrctId,KeyAcc, roles : "+cntrctId+"\n"+keyAcc+"\n"+roles);
try {
con = jdbcTemplate.getDataSource().getConnection();
if(con.isWrapperFor(OracleConnection.class)){
oracleConnection =con.unwrap(OracleConnection.class);
ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",oracleConnection);
arrayToPass = new ARRAY(ad, oracleConnection, userParams.getWidgets().toArray());
}else{
ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",con);
arrayToPass = new ARRAY(ad, con, userParams.getWidgets().toArray());
}
cstmt = con.prepareCall(query);
cstmt.setString(1, userParams.getSso());
cstmt.setString(2, roles);
cstmt.setString(3, userParams.getUserType());
cstmt.setString(4, keyAcc);
cstmt.setString(5, cntrctId);
cstmt.setString(6, userParams.getAdminSso());
cstmt.setString(7, pnl);
cstmt.setString(8, userParams.getAllContrctFlag());
cstmt.setObject(9, arrayToPass);
cstmt.execute();
status = 1;
}catch(Exception ex){
logger.error("Error while getting Edit User ---> "+ex.getMessage());
status = 0;
throw new CustomException(ex.getMessage());
}finally{
if(cstmt != null){
try {
cstmt.close();
} catch (SQLException se) {
logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
}
}
if(con != null){
try {
con.close();
} catch (SQLException se) {
logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
}
}
}
return status;
}
以上方法存在于 DAO 层并被服务层的另一个方法调用,该方法接受 REST 调用和输入 JSON 将 JSON 转换为 Userbean 对象并作为参数传递给 editUser
Checkmarx 工具发现在没有用户授权迹象的情况下访问数据库。
如果在您的情况下授权过程正确完成(例如,通过使用 roles
参数或 getAdminSso()
方法),您可以将此结果标记为不可利用。
我对我的项目进行了 运行 复选标记安全检查,并收到了 A2-Broken Authentication and Session Management warring for line "cstmt.execute();" 我知道它向我展示了 owasp 提到的前 10 个漏洞之一。
需要帮助来理解我的代码有什么问题以及如何解决这个问题。
public int editUser(UserBean userParams) throws CustomException{
String query = DbConstants.EDITUSER_PROC;
Connection con = null;
CallableStatement cstmt=null;
OracleConnection oracleConnection = null;
ARRAY arrayToPass =null;
int status = 0;
String cntrctId = null;
String keyAcc = null;
String roles = null;
String pnl = null;
if(!"Y".equals(userParams.getAllContrctFlag())){
cntrctId = Arrays.toString(userParams.getContractId().toArray()).replace("[", "").replace("]", "").trim();
keyAcc = Arrays.toString(userParams.getKeyAcName().toArray()).replace("[", "").replace("]", "").trim();
}
roles = Arrays.toString(userParams.getUserRole().toArray()).replace("[", "").replace("]", "").trim();
pnl = Arrays.toString(userParams.getDefaultPnl().toArray()).replace("[", "").replace("]", "").trim();
logger.debug("Edit User cntrctId,KeyAcc, roles : "+cntrctId+"\n"+keyAcc+"\n"+roles);
try {
con = jdbcTemplate.getDataSource().getConnection();
if(con.isWrapperFor(OracleConnection.class)){
oracleConnection =con.unwrap(OracleConnection.class);
ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",oracleConnection);
arrayToPass = new ARRAY(ad, oracleConnection, userParams.getWidgets().toArray());
}else{
ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",con);
arrayToPass = new ARRAY(ad, con, userParams.getWidgets().toArray());
}
cstmt = con.prepareCall(query);
cstmt.setString(1, userParams.getSso());
cstmt.setString(2, roles);
cstmt.setString(3, userParams.getUserType());
cstmt.setString(4, keyAcc);
cstmt.setString(5, cntrctId);
cstmt.setString(6, userParams.getAdminSso());
cstmt.setString(7, pnl);
cstmt.setString(8, userParams.getAllContrctFlag());
cstmt.setObject(9, arrayToPass);
cstmt.execute();
status = 1;
}catch(Exception ex){
logger.error("Error while getting Edit User ---> "+ex.getMessage());
status = 0;
throw new CustomException(ex.getMessage());
}finally{
if(cstmt != null){
try {
cstmt.close();
} catch (SQLException se) {
logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
}
}
if(con != null){
try {
con.close();
} catch (SQLException se) {
logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
}
}
}
return status;
}
以上方法存在于 DAO 层并被服务层的另一个方法调用,该方法接受 REST 调用和输入 JSON 将 JSON 转换为 Userbean 对象并作为参数传递给 editUser
Checkmarx 工具发现在没有用户授权迹象的情况下访问数据库。
如果在您的情况下授权过程正确完成(例如,通过使用 roles
参数或 getAdminSso()
方法),您可以将此结果标记为不可利用。