强化 JSON 在 Java 中注入的错误
Fortify error on JSON Injection in Java
我从客户端获取 SUBSCRIPTION_JSON,我将其转换为字符串,然后使用 gson 库将其设置为模型对象。在 运行 Fortify 安全代码上,它给我 Json 以下代码的注入错误和以下消息:
错误如下:
On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
Explanation
JSON injection occurs when:
1. Data enters a program from an untrusted source.
In this case the data enters at getString() in **SubscriptionAction.java** at line 355.
2. The data is written to a JSON stream.
In this case the JSON is written by fromJson() in **ActionHelper.java** at line 159.
SubscriptionAction.java
final String subscriptionJson = subscriptionForm.getString(SUBSCRIPTION_JSON);
ActionHelper.java
public static <T> T jsonToObject(final String jsonString, final Class<T> className) {
T object = null;
if (StringUtils.isNotBlank(jsonString)) {
final Gson gson = (Gson) BeanLocator.getInstance().getBean(GSON);
object = gson.fromJson(jsonString, className);
}
return object;
}
SUBSCRIPTION_JSON ->
{
"subscriptions": [{
"attributeId": "1",
"items": [{
"strId": "ALL",
"nodeType": "G"
}, {
"strId": "VO_ENTRY_TIMING_DELAY",
"nodeType": "L"
}, {
"strId": "O_INVALID",
"nodeType": "L"
}, {
"strId": "O_LINE_INVALID",
"nodeType": "L"
}, {
"strId": "V_INVALID",
"nodeType": "L"
}, {
"strId": "V_ADDRESS_INVALID",
"nodeType": "L"
}]
}, {
"attributeId": "2001",
"items": [{
"strId": "OSTBU",
"nodeType": "L"
}]
}]
}
您必须验证收到的 json 以确保它包含完全符合预期的内容,然后再将其设置为模型对象。例如,您可以实现一个验证器来检查 json 的预期模式 fields/format。
1) 使用“JsonSanitizer.sanitize(string)”。 (此处用于清理方法的参数是您的 JSON 输入)
2) 要使用 JsonSanitizer 依赖,可以在 pom.xml 中添加如下内容:
<dependency>
<groupId>com.mikesamuel</groupId>
<artifactId>json-sanitizer</artifactId>
<version>1.2.0</version>
</dependency>
您必须在将 JSON 转换为 java 对象之前对其进行清理。这是经过测试的解决方案,它删除了这个强化警告。
<dependency>
<groupId>com.mikesamuel</groupId>
<artifactId>json-sanitizer</artifactId>
<version>1.0</version>
</dependency>
InputStream responseBodyAsStream = null;
responseString = EntityUtils.toString(httpResponse.getEntity(),"UTF-8");
String wellFormedJson = com.google.json.JsonSanitizer.sanitize(responseString);
Map map = mapper.readValue(wellFormedJson, Map.class);
Hope this helps..!!
我遇到了同样的问题。您需要清理 json 数据,
通过使用 json-sanitizer 你可以实现它。
在您的项目中添加此依赖项
<dependency>
</dependency>
在您的代码中添加这一行
String newsanitizestring = JsonSanitizer.sanitize(passyourjsondatahere);
现在使用这个字符串 newsanitizestring
我从客户端获取 SUBSCRIPTION_JSON,我将其转换为字符串,然后使用 gson 库将其设置为模型对象。在 运行 Fortify 安全代码上,它给我 Json 以下代码的注入错误和以下消息:
错误如下:
On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
Explanation
JSON injection occurs when:
1. Data enters a program from an untrusted source.
In this case the data enters at getString() in **SubscriptionAction.java** at line 355.
2. The data is written to a JSON stream.
In this case the JSON is written by fromJson() in **ActionHelper.java** at line 159.
SubscriptionAction.java
final String subscriptionJson = subscriptionForm.getString(SUBSCRIPTION_JSON);
ActionHelper.java
public static <T> T jsonToObject(final String jsonString, final Class<T> className) {
T object = null;
if (StringUtils.isNotBlank(jsonString)) {
final Gson gson = (Gson) BeanLocator.getInstance().getBean(GSON);
object = gson.fromJson(jsonString, className);
}
return object;
}
SUBSCRIPTION_JSON ->
{
"subscriptions": [{
"attributeId": "1",
"items": [{
"strId": "ALL",
"nodeType": "G"
}, {
"strId": "VO_ENTRY_TIMING_DELAY",
"nodeType": "L"
}, {
"strId": "O_INVALID",
"nodeType": "L"
}, {
"strId": "O_LINE_INVALID",
"nodeType": "L"
}, {
"strId": "V_INVALID",
"nodeType": "L"
}, {
"strId": "V_ADDRESS_INVALID",
"nodeType": "L"
}]
}, {
"attributeId": "2001",
"items": [{
"strId": "OSTBU",
"nodeType": "L"
}]
}]
}
您必须验证收到的 json 以确保它包含完全符合预期的内容,然后再将其设置为模型对象。例如,您可以实现一个验证器来检查 json 的预期模式 fields/format。
1) 使用“JsonSanitizer.sanitize(string)”。 (此处用于清理方法的参数是您的 JSON 输入)
2) 要使用 JsonSanitizer 依赖,可以在 pom.xml 中添加如下内容:
<dependency>
<groupId>com.mikesamuel</groupId>
<artifactId>json-sanitizer</artifactId>
<version>1.2.0</version>
</dependency>
您必须在将 JSON 转换为 java 对象之前对其进行清理。这是经过测试的解决方案,它删除了这个强化警告。
<dependency>
<groupId>com.mikesamuel</groupId>
<artifactId>json-sanitizer</artifactId>
<version>1.0</version>
</dependency>
InputStream responseBodyAsStream = null;
responseString = EntityUtils.toString(httpResponse.getEntity(),"UTF-8");
String wellFormedJson = com.google.json.JsonSanitizer.sanitize(responseString);
Map map = mapper.readValue(wellFormedJson, Map.class);
Hope this helps..!!
我遇到了同样的问题。您需要清理 json 数据, 通过使用 json-sanitizer 你可以实现它。
在您的项目中添加此依赖项
<dependency>
</dependency>
在您的代码中添加这一行
String newsanitizestring = JsonSanitizer.sanitize(passyourjsondatahere);
现在使用这个字符串 newsanitizestring