问题描述
extractQueryParam 使用 getParameter(String paramName) 从请求中提取特定查询参数。
private String extractQueryParam(HttpServletRequest request,String queryParamName) {
return request.getParameter(queryParamName);
}
然而,request.getParameter(queryParamName) 抛出了一个 SpotBugs 问题:
Problem classification:
Security (Servlet Parameter)
SERVLET_ParaMETER (Untrusted servlet parameter)
The method getParameter returns a String value that is controlled by the client
Low Confidence Security
Untrusted servlet parameter
The Servlet can read GET and POST parameters from varIoUs methods.
The value obtained should be considered unsafe.
You may need to validate or sanitize those values before passing them to sensitive APIs such as:
- sql query (May leads to sql injection)
- File opening (May leads to path traversal)
- Command execution (Potential Command injection)
- HTML construction (Potential XSS)
- etc...
Reference CWE-20: Improper Input Validation
我尝试了各种验证(下一个示例),但问题仍然存在。
我该怎么做才能解决这个 SpotBugs 问题?
private String extractQueryParam(HttpServletRequest request,String queryParamName) {
String result = null;
String parsedParam = request.getParameter(queryParamName);
if (!parsedParam.isBlank() && !parsedParam.isEmpty()) {
result = parsedParam;
}
return result;
}
@Override
public void onAuthenticationFailure(
HttpServletRequest request,HttpServletResponse response,AuthenticationException exception)
throws IOException {
if (exception instanceof OAuth2AuthenticationException) {
String encodedState = extractQueryParam(request,"state");
byte[] decodedState = Base64.getDecoder().decode(encodedState.getBytes(StandardCharsets.UTF_8));
String destinationUrl = objectMapper.readTree(decodedState).get(DESTINATION_URL_KEY).asText();
String url = RedirectUtils.getRelativeUriStringFromUrl(destinationUrl);
RedirectUtils.safeRedirect(response,url);
} else {
throw exception;
}
}
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)