Veracode扫描-Java Springboot应用程序中的封装缺陷(不受信任数据的反序列化)
Veracode扫描报告Springboot应用程序代码中存在一个中等风险。这是一个与反序列化不可信数据(CWE ID 502)相关的封装缺陷。我希望这里的专家能帮忙 searchReqStr是请求中的JSON字符串。Vecacode在objectMapper.readValue行中抱怨Veracode扫描-Java Springboot应用程序中的封装缺陷(不受信任数据的反序列化),java,json,encapsulation,veracode,Java,Json,Encapsulation,Veracode,Veracode扫描报告Springboot应用程序代码中存在一个中等风险。这是一个与反序列化不可信数据(CWE ID 502)相关的封装缺陷。我希望这里的专家能帮忙 searchReqStr是请求中的JSON字符串。Vecacode在objectMapper.readValue行中抱怨 try { eventSearchFields = objectMapper.readValue(searchReqStr,EventSearchFields.class);
try {
eventSearchFields =
objectMapper.readValue(searchReqStr,EventSearchFields.class);
} catch (IOException e) {
....
}
EventSearchFields类字段都是私有的
public class EventSearchFields implements Serializable{
private static final long serialVersionUID = 2373607xxxxx;
@JsonProperty("searchCriteria")
private List<EventSearchCriteria> searchCriteria = new ArrayList<>();
public List<EventSearchCriteria> getSearchCriteria() {
return searchCriteria;
}
public void setSearchCriteria(List<EventSearchCriteria> searchCriteria)
{
this.searchCriteria = searchCriteria;
}
}
我试着把“?”改成“对象”,但运气不好。欢迎建议帮助我通过Veracode扫描。我认为,
Veracode
投诉的原因通常是从JSON
反序列化数据,而不是因为您在列表
声明中使用?
或对象
Jackson
确保您的安全,但您需要检查ObjectMapper
配置。从阅读和文章开始。@MichałZiober谢谢。我去看看。
public class EventSearchCriteria implements Serializable{
private static final long serialVersionUID = -624493860290016xxxxx;
@JsonProperty("searchFieldName")
private String searchFieldName;
@JsonProperty("searchFieldValue")
private transient List<?> searchFieldValue = new ArrayList<>();
public String getSearchFieldName() {
return searchFieldName;
}
public void setSearchFieldName(String searchFieldName) {
this.searchFieldName = searchFieldName;
}
public List<?> getSearchFieldValue() {
return new ArrayList<>(searchFieldValue);
}
public void setSearchFieldValue(List<?> searchFieldValue) {
this.searchFieldValue = searchFieldValue;
{
"searchCriteria": [
{
"searchFieldName":"keys",
"searchFieldValue":[
{ "searchFieldName":"bNumber",
"searchFieldValue":["11"]
},
{
"searchFieldName":"pNumber",
"searchFieldValue":["22"]
},
{
"searchFieldName":"id",
"searchFieldValue":["BBB"]
}
]
},
{
"searchFieldName":"unit",
"searchFieldValue":["aa","bb"]
}
]
}