Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.0k views
in Technique[技术] by (71.8m points)

spring - SpringBoot and Sanitizing @PathVariable

In our project we are currently using Fortify scanner to scan our code, and we have an interesting question. We are considering that something like

@PathVariable (required = true) String id

Is sanitized already by Spring, but in our case it is raising an issue when used in the following context

@RequestMapping(
        method = RequestMethod.DELETE,
        path = "/{id}",
        consumes = "application/json"
)
public ResponseEntity cancelTask(
        @PathVariable (required = true) String id,
        @RequestBody (required = false) String reason
) {
    String userId = authenticationContext.getUserId();
    if (!authorizationService.hasPermission(userId, id, TaskAccessRight.EDIT)) {            log.warn("User {} is not authorized to cancel task {}", userId, id);
        return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("Not authorized to cancel task " + id);
    }
 ...
}

Fortify flags this as a Cross-Site Scripting: Reflected issue.

My question is it really possible to exploit by saying that id is something like

<script>alert('Hello Jack')</script>

as path input... if so how should we sanitize it in the body?

We are not certain that this is sanitized, soo we are not sure it is a false positive, can someone confirm Spring takes care of this automaticly?

We have dozens of similar issues raised by fortify


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Based on static code analysis, this fortify finding makes sense.
String id is an input to your method, your code is not validating or sanitizing the input and in case of UNAUTHORIZED your code is returning it. So the "bad" code is flowing through your application and fortify and I do not know what the client is doing with the response, so there is some kind of risk.

Spring does not take care of this automatically!

You could use Hibernate-Validator (see Maven Library spring-boot-starter-validation) to validate the input and reject invalid input like your script.
In my German blog, I have written an article about Spring and validation, see:
https://agile-coding.blogspot.com/2020/11/validation-with-spring.html


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...