如何修复 A2-Broken Authentication 和 Session Management 警告?

How to fix A2-Broken Authentication and Session Management Warning?

我对我的项目进行了 运行 复选标记安全检查,并收到了 A2-Broken Authentication and Session Management warring for line "cstmt.execute();" 我知道它向我展示了 owasp 提到的前 10 个漏洞之一。

需要帮助来理解我的代码有什么问题以及如何解决这个问题。

public int editUser(UserBean userParams) throws CustomException{

        String query = DbConstants.EDITUSER_PROC;
        Connection con = null;
        CallableStatement cstmt=null;
        OracleConnection oracleConnection = null;
        ARRAY arrayToPass =null;
        int status = 0;
        String cntrctId = null;
        String keyAcc = null;
        String roles = null;
        String pnl = null;

        if(!"Y".equals(userParams.getAllContrctFlag())){
            cntrctId = Arrays.toString(userParams.getContractId().toArray()).replace("[", "").replace("]", "").trim();
            keyAcc = Arrays.toString(userParams.getKeyAcName().toArray()).replace("[", "").replace("]", "").trim();
        }

        roles = Arrays.toString(userParams.getUserRole().toArray()).replace("[", "").replace("]", "").trim();
        pnl = Arrays.toString(userParams.getDefaultPnl().toArray()).replace("[", "").replace("]", "").trim();

        logger.debug("Edit User cntrctId,KeyAcc, roles : "+cntrctId+"\n"+keyAcc+"\n"+roles);

        try {
            con = jdbcTemplate.getDataSource().getConnection();

            if(con.isWrapperFor(OracleConnection.class)){
                oracleConnection =con.unwrap(OracleConnection.class);                     
                ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",oracleConnection);
                arrayToPass = new ARRAY(ad, oracleConnection, userParams.getWidgets().toArray());
            }else{
                ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",con);
                arrayToPass = new ARRAY(ad, con, userParams.getWidgets().toArray());
            }

            cstmt = con.prepareCall(query);
            cstmt.setString(1, userParams.getSso());
            cstmt.setString(2, roles);
            cstmt.setString(3, userParams.getUserType());
            cstmt.setString(4, keyAcc);
            cstmt.setString(5, cntrctId);
            cstmt.setString(6, userParams.getAdminSso());
            cstmt.setString(7, pnl);
            cstmt.setString(8, userParams.getAllContrctFlag());
            cstmt.setObject(9, arrayToPass);
            cstmt.execute();
            status = 1;
        }catch(Exception ex){
            logger.error("Error while getting Edit User ---> "+ex.getMessage());
            status = 0;
            throw new CustomException(ex.getMessage());
        }finally{
            if(cstmt != null){
                try {
                    cstmt.close();
                } catch (SQLException se) {
                    logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
                }
            }
            if(con != null){
                try {
                    con.close();
                } catch (SQLException se) {
                    logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
                }
            }
        }
        return status;
    }    

以上方法存在于 DAO 层并被服务层的另一个方法调用,该方法接受 REST 调用和输入 JSON 将 JSON 转换为 Userbean 对象并作为参数传递给 editUser

Checkmarx 工具发现在没有用户授权迹象的情况下访问数据库。

如果在您的情况下授权过程正确完成(例如,通过使用 roles 参数或 getAdminSso() 方法),您可以将此结果标记为不可利用。