In our project we are currently using Fortify scanner to scan our code, and we have an interesting question. We are considering that something like
@PathVariable (required = true) String id
Is sanitized already by Spring, but in our case it is raising an issue when used in the following context
@RequestMapping(
method = RequestMethod.DELETE,
path = "/{id}",
consumes = "application/json"
)
public ResponseEntity cancelTask(
@PathVariable (required = true) String id,
@RequestBody (required = false) String reason
) {
String userId = authenticationContext.getUserId();
if (!authorizationService.hasPermission(userId, id, TaskAccessRight.EDIT)) { log.warn("User {} is not authorized to cancel task {}", userId, id);
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Not authorized to cancel task " + id);
}
...
}
Fortify flags this as a Cross-Site Scripting: Reflected issue.
My question is it really possible to exploit by saying that id is something like
<script>alert('Hello Jack')</script>
as path input... if so how should we sanitize it in the body?
We are not certain that this is sanitized, soo we are not sure it is a false positive, can someone confirm Spring takes care of this automaticly?
We have dozens of similar issues raised by fortify
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
