How to fix CWE-20: Improper Input Validation

1.3k Views Asked by Rishikesh-12 At 30 April 2025 at 00:25

I have used polaris for static scan on one of my projects. The scan results shows that one of the java class has CWE-20 defect. It is reported for this particular line.

String propValue = req.getParameter(propertyName);

I have tried a few possible ways to resolve this but was not able to resolve. Is there any way that this can be solved?

Original Q&A

There are 2 best solutions below

Andrew On 17 March 2022 at 14:04

CWE-20 is intended to protect against where the product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Your single line of code doesn't really explain the nature of your problem... I'm assuming that you are simply using propValue without validation?

Thus the mitigation is to de-taint the input, to protect against dodgy data, before using that input. So you need to do something like:

String propValue = req.getParameter(propertyName);
if ( propValue.validate() )
{
  ... use it
}
else
{
  ... error condition
}

Adewole Opeyemi On 09 January 2024 at 11:15

You do something like this to validate the input

String propertyName = req.getParameter("propertyName");
if (propertyName == null || !Pattern.matches("[A-Za-z0-9_]+", propertyName)) {
    throw new IllegalArgumentException("Invalid property name.");
}
String propValue = req.getParameter(propertyName);

How to fix CWE-20: Improper Input Validation

There are 2 best solutions below

Related Questions in JAVA

Related Questions in STATIC-ANALYSIS

Related Questions in POLARIS

Trending Questions

Popular # Hahtags

Popular Questions