I have an endpoint that receives a String from the client as seen below:
@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
String y = myService.process(x);
return Response.status(OK).entity(y).build();
}
Checkmarx complains that this element’s value then "flows through the code without being properly sanitized or validated and is eventually displayed to the user in method doSomething"
Then I tried this:
@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
if (StringUtils.trimToNull(x) == null || x.length() > 100) {
throw new RuntimeException();
}
x = x.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
String y = myService.process(x);
y = y.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
return Response.status(OK).entity(y).build();
}
But it still considers this a high severity vulnerability.
How do I properly sanitize or validate to pass a Checkmarx scan?
For example, you might change all single quotation marks in a string to double quotation marks (sanitize) and then check that all the quotation marks were actually changed to double quotation marks (validate). Validation checks include testing for the length, format, range, and allowable characters.
By using both input validation and input sanitization, a web application creates more layers of security. These methods of input handling can be performed on either the client-side or the server-side.
HtmlUtils from spring-web
got the job done with:
HtmlUtils.htmlEscape(x)
Maven dependency:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>5.1.7.RELEASE</version>
</dependency>
in .Net framework > 4.0 use AntiXSS
AntiXssEncoder.HtmlEncode()
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With