gpt4 book ai didi

java - Java 中 JSON 注入(inject)的强化错误

转载 作者:塔克拉玛干 更新时间:2023-11-03 04:36:52 24 4
gpt4 key购买 nike

我正在从客户端获取 SUBSCRIPTION_JSON,我将其转换为字符串,然后使用 gson 库将其设置为模型对象。在 Fortify security 上运行代码时,它在下面的代码中给我 Json 注入(inject)错误,并显示以下消息:

这是错误:

On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.

Explanation
JSON injection occurs when:

1. Data enters a program from an untrusted source.

In this case the data enters at getString() in **SubscriptionAction.java** at line 355.


2. The data is written to a JSON stream.

In this case the JSON is written by fromJson() in **ActionHelper.java** at line 159.

SubscriptionAction.java

final String subscriptionJson = subscriptionForm.getString(SUBSCRIPTION_JSON);

ActionHelper.java

public static <T> T jsonToObject(final String jsonString, final Class<T> className) {
T object = null;
if (StringUtils.isNotBlank(jsonString)) {
final Gson gson = (Gson) BeanLocator.getInstance().getBean(GSON);
object = gson.fromJson(jsonString, className);
}
return object;
}

SUBSCRIPTION_JSON ->

{
"subscriptions": [{
"attributeId": "1",
"items": [{
"strId": "ALL",
"nodeType": "G"
}, {
"strId": "VO_ENTRY_TIMING_DELAY",
"nodeType": "L"
}, {
"strId": "O_INVALID",
"nodeType": "L"
}, {
"strId": "O_LINE_INVALID",
"nodeType": "L"
}, {
"strId": "V_INVALID",
"nodeType": "L"
}, {
"strId": "V_ADDRESS_INVALID",
"nodeType": "L"
}]
}, {
"attributeId": "2001",
"items": [{
"strId": "OSTBU",
"nodeType": "L"
}]
}]
}

最佳答案

在将 JSON 转换为 java 对象之前,您必须对其进行清理。这是经过测试的解决方案,它删除了这个强化警告。

<dependency>
<groupId>com.mikesamuel</groupId>
<artifactId>json-sanitizer</artifactId>
<version>1.0</version>
</dependency>

InputStream responseBodyAsStream = null;
responseString = EntityUtils.toString(httpResponse.getEntity(),"UTF-8");
String wellFormedJson = com.google.json.JsonSanitizer.sanitize(responseString);

Map map = mapper.readValue(wellFormedJson, Map.class);

Hope this helps..!!

关于java - Java 中 JSON 注入(inject)的强化错误,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49800113/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com