如何修复 checkmarx 错误以清理有效负载

HOw to fix checkmarx error for sanitizing payload

我有一个 spring 引导服务 (2.4.5),它显示一个 checkmarx 错误,我们需要清理请求负载。我们如何清理请求负载?

 @ApiOperation(value = "Executes new report. The response contains the new job id.")
@PostMapping(value = "/execute")
public ResponseEntity<MyResponse<Object, Void>> execute(
        @RequestBody final MyInput input) {.......}

我收到“@RequestBody 最终 MyInput 输入”的以下 checkmarx 错误消息:

The application's executeNewReport method executes an SQL query with input, at line 82 of src\main\java\com\gayathri\controllers\JobController.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly. This apparent database access is seemingly encapsulated in an external component or API. Thus, it seems that the attacker might be able to inject arbitrary data into the SQL query, by altering the user input input, which is read by the execute method, at line 75 of src\main\java\com\gayathri\controllers\JobController.java. This input then flows through the code to the external API, and from there to a database server, apparently without sanitization. This may enable an SQL Injection attack, based on heuristic analysis.

我想清理我的负载。或者除了使用 DTO 没有其他选择,然后将其转换为我的数据库实体

根据对漏洞的描述,我假设 Checkmarx 检测到的确切漏洞是“启发式 SQL 注入”。很高兴看到接收器在哪里(漏洞传播的地方)而不仅仅是源(“@RequestBody final MyInput 输入”)。

第一种方法是使用参数化或准备好的语句,这里是 OWASP 的 link 到 cheatsheet 可能对您有用

我认为 Checkmarx 还关注 encodeForSQL 函数的使用,这将要求您使用 OWASP Enterprise Security API library

如果您正在使用 MySQL:

input = ESAPI.encoder().encodeForSQL(new MySQLCodec(), input);

或适当更改数据库编解码器