2

Am trying to resolve a resource injection issue found in our code by Fortify Static scan. We have updateUserInfo(User user) method in Service class which makes a call to updateUser(User user) method on Dao class. updateUser(User user) method code has below lines of code.

 public void updateUser(User user) {
     Map params = new HashMap();
     params.put("id", user.getId());
     // below code makes a call to stored proc updateUser and passes params as parameters to database(ibatis config)
     getSqlMap.update("updateUser", params);
 }

Fortify complains that attacker can specify the value that enters at updateUserInfo in Service class and this value is used to access a system resource at the line getSqlMap.update call.

I am not sure how to change this code to overcome this vulnerability. Please help.

Rüdiger Herrmann
  • 20,512
  • 11
  • 62
  • 79
Pro
  • 582
  • 2
  • 8
  • 23
  • So, Fortify is complaining that the code works as designed? Are you passing SQL as a field in `User`? – kolossus Apr 07 '15 at 15:45
  • @Rüdiger Herrmann, Thanks for your comment. We pass user object but Fortify complains, input is used to identify system resource directly and its a resource injection issue. Not sure how to overcome this. – Pro Apr 08 '15 at 03:31
  • To diagnose injection we need to see the input handling code. You need to submit more code. How are you validating? – avgvstvs Apr 08 '15 at 23:21
  • Also, validate that none of the fields changed by that update method aren't used to construct a URL, URI, or File/Resource reference elsewhere in the application. – avgvstvs Apr 09 '15 at 22:31

0 Answers0