声纳污染分析:javasecurity:S5131:强制对 Java 枚举进行消毒:
Sonar Taint analysis : javasecurity:S5131 : Forcing sanitization for Java Enums :
我在 Java 开发了一个 Rest API。我使用枚举作为我的请求参数让我们说性别是枚举之一,并说性别的可能值是 M,F
我知道 requestParametrs 是用户 controlled.Sonar 抱怨它被污染了,我需要清理输入。
我不明白枚举是如何被污染的,以及它为什么会带来风险。我们不能将任何随机值传递给枚举。
期待您的建议。
public ResponseEntity<String> answers(
@RequestParam(value = "genderId", required = true)
GenderEnum genderId) { // genderID is tainted as its controlled by User input
SomeObject param = new SomeObject();
param.setGenderId(genderId); //Polluted too, as requestParam is not sanitized
//Lets assume you make some call to DB
String result=dbCall(genderId); //This is tainted too
return "Hello"+genderId; //Result is also tainted as its also using Non-santized input
}
Enum 的任何错误值都会给您 HTTP 400 Bad Request,这很好。
上述枚举问题将在未来的声纳版本中得到修复。一旦我获得更多信息,我会在这里发表评论。
我在 Java 开发了一个 Rest API。我使用枚举作为我的请求参数让我们说性别是枚举之一,并说性别的可能值是 M,F 我知道 requestParametrs 是用户 controlled.Sonar 抱怨它被污染了,我需要清理输入。
我不明白枚举是如何被污染的,以及它为什么会带来风险。我们不能将任何随机值传递给枚举。
期待您的建议。
public ResponseEntity<String> answers(
@RequestParam(value = "genderId", required = true)
GenderEnum genderId) { // genderID is tainted as its controlled by User input
SomeObject param = new SomeObject();
param.setGenderId(genderId); //Polluted too, as requestParam is not sanitized
//Lets assume you make some call to DB
String result=dbCall(genderId); //This is tainted too
return "Hello"+genderId; //Result is also tainted as its also using Non-santized input
}
Enum 的任何错误值都会给您 HTTP 400 Bad Request,这很好。
上述枚举问题将在未来的声纳版本中得到修复。一旦我获得更多信息,我会在这里发表评论。