Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to sanitize and validate user input to pass a Checkmarx scan

I have an endpoint that receives a String from the client as seen below:

@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
    String y = myService.process(x);
    return Response.status(OK).entity(y).build();
}

Checkmarx complains that this element’s value then "flows through the code without being properly sanitized or validated and is eventually displayed to the user in method doSomething"

Then I tried this:

@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
    if (StringUtils.trimToNull(x) == null || x.length() > 100) { 
        throw new RuntimeException(); 
    }
    x = x.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
    String y = myService.process(x);
    y = y.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
    return Response.status(OK).entity(y).build();
}

But it still considers this a high severity vulnerability.

How do I properly sanitize or validate to pass a Checkmarx scan?

like image 531
cahen Avatar asked Aug 13 '15 09:08

cahen


People also ask

What are the techniques that can be used for input validation and sanitization?

For example, you might change all single quotation marks in a string to double quotation marks (sanitize) and then check that all the quotation marks were actually changed to double quotation marks (validate). Validation checks include testing for the length, format, range, and allowable characters.

Why is it important to add input sanitisation and input validation to your code?

By using both input validation and input sanitization, a web application creates more layers of security. These methods of input handling can be performed on either the client-side or the server-side.


2 Answers

HtmlUtils from spring-web got the job done with:

HtmlUtils.htmlEscape(x)

Maven dependency:

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-web</artifactId>
    <version>5.1.7.RELEASE</version>
</dependency>
like image 198
cahen Avatar answered Sep 17 '22 12:09

cahen


in .Net framework > 4.0 use AntiXSS

AntiXssEncoder.HtmlEncode()

like image 31
Jeyaganesh Avatar answered Sep 19 '22 12:09

Jeyaganesh