Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
101 views
in Technique[技术] by (71.8m points)

java - Fix SERVLET_PARAMETER (Untrusted servlet parameter) spotbugs problem

extractQueryParam extracts a specific query parameter from a request using getParameter(String paramName).

The query parameter will contain a Base64 encoded String.

private String extractQueryParam(HttpServletRequest request, String queryParamName) {
  return request.getParameter(queryParamName);
}

However request.getParameter(queryParamName) is throwing a SpotBugs problem:

Problem classification:
Security (Servlet Parameter)
SERVLET_PARAMETER (Untrusted servlet parameter)

The method getParameter returns a String value that is controlled by the client
Low Confidence Security

Untrusted servlet parameter
The Servlet can read GET and POST parameters from various methods. 
The value obtained should be considered unsafe. 
You may need to validate or sanitize those values before passing them to sensitive APIs such as:
- SQL query (May leads to SQL injection)
- File opening (May leads to path traversal)
- Command execution (Potential Command injection)
- HTML construction (Potential XSS)
- etc...
 
Reference CWE-20: Improper Input Validation

I've tried various validation (example next), but the problem continues to show.

What could I do to fix this SpotBugs problem?

private String extractQueryParam(HttpServletRequest request, String queryParamName) {
  String result = null;
  String parsedParam = request.getParameter(queryParamName);
  if (!parsedParam.isBlank() && !parsedParam.isEmpty()) {
    result = parsedParam;
  }
  return result;
}

Method that invokes extractQueryParam:

@Override
public void onAuthenticationFailure(
    HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
    throws IOException {

  if (exception instanceof OAuth2AuthenticationException) {

    String encodedState = extractQueryParam(request, "state");
    byte[] decodedState = Base64.getDecoder().decode(encodedState.getBytes(StandardCharsets.UTF_8));
    String destinationUrl = objectMapper.readTree(decodedState).get(DESTINATION_URL_KEY).asText();
    String url = RedirectUtils.getRelativeUriStringFromUrl(destinationUrl);
    RedirectUtils.safeRedirect(response, url);

  } else {
    throw exception;
  }
}
question from:https://stackoverflow.com/questions/65837880/fix-servlet-parameter-untrusted-servlet-parameter-spotbugs-problem

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...