How to clear and verify user input for Checkmarkx verification

Question

How to clear and verify user input for Checkmarkx verification

I have an endpoint that receives a string from a client, as shown below:

@GET @Path("/{x}") public Response doSomething(@PathParam("x") String x) { String y = myService.process(x); return Response.status(OK).entity(y).build(); }

Checkmarx complains that this value of the elements then "passes through the code without proper cleaning or verification and is ultimately displayed to the user in the doSomething method"

Then I tried this:

 @GET @Path("/{x}") public Response doSomething(@PathParam("x") String x) { if (StringUtils.trimToNull(x) == null || x.length() > 100) { throw new RuntimeException(); } x = x.replace("'", "").replace("'", "").replace("\\", "").replace("\"", "") String y = myService.process(x); y = y.replace("'", "").replace("'", "").replace("\\", "").replace("\"", "") return Response.status(OK).entity(y).build(); }

But he still considers this a high-severity vulnerability.

How to sanitize or check correctly to pass Checkmarx check?

+5

java security code-analysis static-code-analysis checkmarx

cahen Aug 13 '15 at 9:54

source share

2 answers

in .Net framework> 4.0 use AntiXSS

AntiXssEncoder.HtmlEncode()

+1

Jeyaganesh Jan 31 '19 at 21:18

source share

cahen · Accepted Answer · 2015-08-13T11:37:30+0000

Spring -web HtmlUtils did its job:

HtmlUtils.htmlEscape(x)

 <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>5.1.7.RELEASE</version> </dependency>

How to clear and verify user input for Checkmarkx verification

More articles: