如何防止反射XSS爲Java對象

Question

我掃描我的Checkmarx項目及其所反映的XSS表現爲一個Java對象是在下面的方法中的參數是checkmarx報告的錯誤：

方法readDataUsingQueryObject在行743 of /src/main/java/com/cognizant/hap/core/controller/DataController.java獲取查詢元素的用戶輸入。 然後，此元素的值將通過代碼流動，而不會被正確清理或驗證，並且最終會在/src/main/java/com/cognizant/hap/core/controller/DataController的743行的readDataUsingQueryObject方法中顯示給用戶。 java的。這可能會導致發生跨站點腳本攻擊 。

下面是方法：

@RequestMapping(value = { "/readGraph/{iLakeId}/{dataPoolName}/{dataspaceName}/{datasetName}" }, headers = "Accept=*/*", method = RequestMethod.POST, produces = "application/json;charset=UTF-8") 
    @ResponseBody 
    public ResponseEntity<DataLakeGraph> readGraph(
      @ApiParam(name = "iLakeId", value = "int", required = true) @PathVariable int iLakeId, 
      @ApiParam(name = "dataPoolName", value = "Datapool name", required = true) @PathVariable String dataPoolName, 
      @ApiParam(name = "dataspaceName", value = "Dataspace name", required = true) @PathVariable String dataspaceName, 
      @ApiParam(name = "datasetName", value = "Graph Dataset name", required = true) @PathVariable String datasetName, 
      @ApiParam(name = "query", value = "Query model", required = true) @RequestBody(required = false) Query query, 
      HttpServletResponse servRes) { 
     DataLakeGraph dataLake = iLakeService.readGraph(iLakeId, 
        dataPoolName, dataspaceName, datasetName, query); 
      return HAPUtil.createResponseEntity(dataLake, HttpStatus.OK); 
} 

下面是類：

public class Query { 

    private int size; 
    private int offset; 
    private String queryString; 
    private List<Field> select; 
    private List<Filter> filters; 
    private String filterString; 
    private SortOn sortOn; 
    private List<Aggregation> aggregations; 
    private Histogram histogram; 
    private GraphQuery graphQuery; 
    private boolean highlight; 

    //setters and getters 
} 

能否請你讓我知道如何消毒或確認的查詢對象，它是在方法的參數？

Answer 1

您不會說您在DataController.java的查詢調用行743中包含哪些代碼行。 SAST Checkmarx工具找到了一個路徑，用戶的查詢在響應中發回，但不在您發佈的代碼片段中。一般來說，對於反映的跨站點腳本，您應該對任何用戶輸入進行肯定或白名單驗證（例如接受已知良好），然後可以將這些用戶輸入發回給用戶。用戶查詢應該是一個衆所周知的模式，所以這應該是可能的。

下面是用戶輸入的完整白名單驗證示例，然後是完全匹配（或名冊）驗證。在這種情況下，這是檢查用戶輸入是馬來西亞的13個州之一。 mState是用戶輸入。

private static final String stateFormatMy = "^[A-Z]{3}$"; // three upppercase alpha characters 
private static final Pattern pattern = Pattern.compile(stateFormatMy); 
public boolean validateStateMy() 
{ 
    // always check the length of any string before you do any regex operations 
    // to protect against ReDoS 
    if(mState.length() != 3) 
    { 
     System.err.println("State abbreviations in Malaysia are three characters"); 
     return false; 
    } 

    // Whtelist validation ensures three uppercase alpha characters 
    Matcher matcher = pattern.matcher(mState); 
    if(!matcher.matches()) 
    { 
     System.err.println("State abbreviations in Malaysia are three uppercase alpha characters"); 
     return false; 
    } 

    // Exact match or roster validation  
    boolean bValid = true; 
    switch(mState) 
    { 
    case "JHR": break; 
    case "KDH": break; 
    case "KTN": break; 
    case "MLK": break; 
    case "NSN": break; 
    case "PHG": break; 
    case "PLS": break; 
    case "PRK": break; 
    case "PNG": break; 
    case "SBH": break; 
    case "SWK": break; 
    case "SGR": break; 
    case "TRG": break; 
    default: 
     System.err.println("The abbreviation does not indicate a state (according to Wikipedia)"); 
     bValid = false; 
     break; 
    } 
    return bValid ;