Checkmarx – How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan

We Are Going To Discuss About Checkmarx – How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan. So lets Start this Java Article.

Checkmarx – How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan

  1. Checkmarx – How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan

    This worked for me – checkmarx pass this high vulnerability
    I used combination of @reflexdemon ans and @tgdavies comment
    @Override public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) throws IOException { int len = req.getContentLength(); len = Integer.parseInt(Encode.forHtml(String.valueOf(len))); String type = req.getContentType();

  2. How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan

    This worked for me – checkmarx pass this high vulnerability
    I used combination of @reflexdemon ans and @tgdavies comment
    @Override public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) throws IOException { int len = req.getContentLength(); len = Integer.parseInt(Encode.forHtml(String.valueOf(len))); String type = req.getContentType();

Solution 1

This worked for me – checkmarx pass this high vulnerability

I used combination of @reflexdemon ans and @tgdavies comment

@Override
public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
        throws IOException
{
    int len = req.getContentLength();
    len = Integer.parseInt(Encode.forHtml(String.valueOf(len)));
    String type = req.getContentType();
    type =  Encode.forHtml(type);
    Entitlements creds;
    if(len == INPUT_LENGTH && type.equals(MIMETYPE_TEXT_PLAIN_UTF_8)) {
        creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);
    }else{
        creds = new Entitlements();
    }

    return getAuthenticationManager().authenticate(
            new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
}

Original Author edited Oct 14, 2020 at 5:00 Of This Content

Solution 2

Sometimes, we can trick the tool with a level of indirection. Can you try the below and see if that fixes your problem,

Replace:

Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

With,

Entitlements creds = new ObjectMapper().readValue(req.getReader().lines().collect(Collectors.joining(System.lineSeparator())), Entitlements.class);

Original Author Of This Content

Solution 3

You code can be refactored to be like this:

// Negative
public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter {

    public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
            throws AuthenticationException, IOException, ServletException {

        if (req.getContentLength() > MAX_REQUEST_SIZE) {
            throw new IOException("request body size too big!");
        }

        Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class);

        return getAuthenticationManager()
                .authenticate(new UsernamePasswordAuthenticationToken(creds.getId(), "", Collections.emptyList()));
    }

}

You can use use getContentLength as a validator. While by default CxSAST 9.3 is not able to detect this validator. You can override the Java_Low_Visibility/Unrestricted_File_Upload query by the content from this file:
https://github.com/checkmarx-ts/CxQL/blob/master/Java/Java_Low_Visibility/Unrestricted_File_Upload.txt

Other validators are also supported, getSize, getFileSize. You can also use MultipartConfig annotation with maxRequestSize. Or use multipart-config max-request-size in web.xml.

Original Author Of This Content

Solution 4

Below solutions worked for me for checkmarx scan.
In case of stored xss I used HtmlUtils.escapeHtmlContent(String)

In case if we want to sanitize the bean classes used in @requestbody we have to use

Jsoup.clean(StringEscapeUtils.escapHtml4(objectMapper.writeValueAsString(object)), Whitelist.basic());

This has solved the checkmarx vulnerability issues for me

Original Author Of This Content

Conclusion

So This is all About This Tutorial. Hope This Tutorial Helped You. Thank You.

Also Read,

Siddharth

I am an Information Technology Engineer. I have Completed my MCA And I have 4 Year Plus Experience, I am a web developer with knowledge of multiple back-end platforms Like PHP, Node.js, Python and frontend JavaScript frameworks Like Angular, React, and Vue.

Leave a Comment