时间戳

首页 > 解决方案 > Java中的JSON注入强化修复

java - Java中的JSON注入强化修复

问题描述

我正在使用下面的代码来清理 JSON,但是,我在从 Fortify 扫描时得到了 JSON 注入,你能帮我找出问题所在,或者这不是问题,也许是抑制。我也寻找过同样的问题,但那些并没有解决我的问题。我的问题是我在将 JSON 转换为 java 对象之前对其进行了清理,但我仍然在 fortify 中遇到 JSON 注入错误

public String handleEventMessage(String jsonRequest) {
    MonerisPaymentDetailsObject paymentObject = null;
        if(null!=jsonRequest && jsonRequest.length()>0){
            try{
                paymentObject = mapper.readValue(JsonSanitizer.sanitize(jsonRequest), MonerisPaymentDetailsObject.class);
            }catch(Exception ex){
                logger.error("Error occured while converting MonerisPaymentDetailsObject json to Object :" , ex);
          }
            
      return "abc";
   }

加强对此错误的以下描述

 1. Data enters a program from an untrusted source.
    
    In this case the data enters at readLine() in EPWFPaymentServicesServlet.java at line 49.
    
    
    2. The data is written to a JSON stream.
    
    In this case the JSON is written by readValue() in EPWFMonerisPaymentsServiceHandler.java at line 46.

输入数据的 EPWFPaymentServicesServlet.java 代码

 @Override
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        CodeTimer timer = new CodeTimer("EPWFPaymentServicesServlet.doPost()", true);
       
        response.setContentType("text/xml");

        BufferedReader reader = new BufferedReader(new InputStreamReader(request.getInputStream()));
        StringBuffer requestBuffer = new StringBuffer(request.getContentLength());
        String line = null;
        while ((line = reader.readLine()) != null) {
            requestBuffer.append(line).append('\n');
        }
        
        // read the POST request contents
        String requestString = requestBuffer.toString();
        if (logger.isDebugEnabled()) {
            logger.debug("EPWF Payment Service POST Request: \n" + ((requestString == null) ? "Null" : requestString.substring(0, 9)));
         }   
        
        PaymentServiceHandlerComposit paySvcHandler = new PaymentServiceHandlerComposit();
        String responseString =paySvcHandler.handleEventMessage(requestString);//line no 49 where fortify is giving description for class where i am sanitizing  the data
        
        if (logger.isDebugEnabled()) {
            logger.debug("EPWF Payment Service POST Response: \n" + ((responseString == null) ? "Null" : requestString));
         }   
        response.getOutputStream().print(responseString);
        timer.stopAndLogTiming("");
    }

标签: javajsonfortify

解决方案

鉴于您使用的是最新版本的jackson,因此在将数据交给 jackson 之前根本不需要预先清理或更改您的数据。

Jackson 只会接受和解析有效的 JSON,因为发现新的漏洞和漏洞,Jackson 的维护者会修复和发布新版本。你能做的最好的就是跟上这些版本的最新状态。

如果满足上述条件,您可以安全地从 fortify 中抑制此错误,您的自定义 sanitizer 中存在错误的可能性远高于 Jackson 中存在错误的可能性

推荐阅读