Trust Boundary Violation flaw in Java project

5.2k Views Asked by AudioBubble At 20 October 2024 at 19:37

For the below mentioned code, I'm getting Trust Boundary Violation in the CheckMarx report.

Error description - Method 'getResponse' gets user input from element request. This element’s value flows through the code without being properly sanitized or validated and is eventually stored in the server-side Session object, in 'parseRequest' method.**

Code -

@Context
HttpHeaders httpHeader;

void parseRequest(SomeRequestType inputRequest) {
    HashMap<String, Data> requestData = inputRequest.getRequestData(httpHeader);
    if (requestData != null) {
        if (Strings.isNullOrEmpty(inputRequest.getId())) {
            Data data = requestData.get("data");
            var dataID = data.getID();
            if ((dataID != null) && Pattern.matches("[0-9]+", dataID)) {
                inputRequest.setId(dataID);
                ThreadContext.put("ID", dataID);
            }
        }
    }
}

I am getting checkmarx vulnerability at below line for without being properly sanitized or validated

ThreadContext.put("ID", dataID);

Could some please help me, how to properly sanitize the above line.

Original Q&A

There are 1 best solutions below

metatron On 20 August 2018 at 15:46

If you know for sure that dataID is a number, convert it to integer/long right away, like this:

int dataIDasNumber = Integer.parseInt(dataID);

And use it like int/long here:

inputRequest.setId(dataIDasNumber);
ThreadContext.put("ID", dataIDasNumber);

Then you don't need to do this:

Pattern.matches...

And your checkmarx violation should go away.

Trust Boundary Violation flaw in Java project

There are 1 best solutions below

Related Questions in JAVA

Related Questions in VALIDATION

Related Questions in SECURITY

Related Questions in CHECKMARX

Related Questions in THREADCONTEXT

Trending Questions

Popular # Hahtags

Popular Questions