java - 如何通过 Fortify 修复 "reveal system data or debugging information by calling println()"

Question

我们的项目使用 Fortify 来扫描我们的代码。扫码后，由于HttpServletResponse直接写入错误信息，存在Audit问题。

response.getWriter().println(e.getLocalizedMessage());

以下是关于这个问题的解释。

Abstract:

The function processNonPersistenceException() in Utility.java might reveal system data or debugging information by calling println() on line 86. The information revealed by println() could help an adversary form a plan of attack.

Explanation:

An external information leak occurs when system data or debugging information leaves the program to a remote machine via a socket or network connection. External leaks can help an attacker by revealing specific data about operating systems, full pathnames, the existence of usernames, or locations of configuration files, and are more serious than internal information leaks which are more difficult for an attacker to access.

In this case println() is called in Utility.java at line 86.

建议是；

Recommendations:

Write error messages with security in mind. In production environments, turn off detailed error information in favor of brief messages. Restrict the generation and storage of detailed output that can help administrators and programmers diagnose problems. Be careful, debugging traces can sometimes appear in non-obvious places (embedded in comments in the HTML for an error page, for example).

Even brief error messages that do not reveal stack traces or database dumps can potentially aid an attacker. For example, an "Access Denied" message can reveal that a file or user exists on the system. Due to this, it's advised to always keep information instead of sending it to a resource directly outside the program.

我真的不知道如何解决这个问题。您有什么建议吗？非常感谢。

BR亚历克斯

Answer 1

我正在寻找类似问题的答案并遇到了这个。

这段代码中的问题非常明显将实际的异常消息发送给最终用户。

建议不要在错误消息中传递实际的异常跟踪或底层代码详细信息。

这主要是为了避免黑客能够识别有关您的程序的更多详细信息。堆栈跟踪或异常消息可能会向黑客提供太多信息。同时它也对最终用户没有帮助。

• 阅读此内容 [SO Thread] 。

• 还有这个:Why is exception.printStackTrace() considered bad practice?

只需添加一条更简单的消息即可解决此问题。例如“发生意外错误。请稍后再试”或更好的内容。