Validate an object

Question

There are various places APPScan is throwing a Validation.required error in my code, where I am setting an object. Now object is set in two ways:

A)

ExceptionBldr excepBuilder = (ExceptionBldr) session.getAttribute(SN_EXCEPBLDR);

this I am solving by simply doing a null check for the object I'm getting from session.

B)

    PageManager pm;
    HttpServletRequest request = modelContext.getHttpServletRequest();
    ResourceBundle resourceBundle = documentContext.getResourceBundle();
    if (request.getAttribute("PageManager") == null) {
        pm = new PageManager(modelContext, documentContext);
        String title = resourceBundle.getString("Workbench.title");
        if (title == null)
            title = "";
        pm.setPageTitle(title + " " + getInstance(request));            
        pm.setInstanceName(getInstance(modelContext.getHttpServletRequest()));
        pm.setListingName(getListingName());
        request.setAttribute("PageManager", pm);

I can do a null check for all the argument and then do a null check for the complete object before setting it (I donno if that will resolve the issue) but is there a better way of doing it? I want to write a generic class for all such instances.

Partial Idea:

a) Validate if the object belongs to a valid class.

b) Get the methods of the class and iterate.

But how do I check the arguments I am setting?

Any other kind of suggestion is also welcome.

Answer 1

Instead of (or in addition to) doing a null check, the major goal of mitigating Validatoin.required finding is to validate against malicious input. Check in your code if any variable can be set to a value that can be controlled by a malicious user. Any input taking from outside of your system should be validated using white listing: https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#White_List_Input_Validation