2

I am able to generate PDF using JasperReports with the help of below code snippet in desired output format. 

Map<String, Object> parameters = new HashMap<>();
parameters.put("code", HtmlUtils.htmlEscape(request.getParameter("code")));
JasperPrint jasperPrint = JasperFillManager.fillReport(path, parameters, dataSource);
barcodePdfBytes = JasperExportManager.exportReportToPdf(jasperPrint);

However when I scan my code using checkmarx it shows Reflected XSS Vulnerability for below code snippet and to fix this i have escaped all input parameters using HtmlUtils.htmlEscape but still facing the same issue.

ServletOutputStream outputStream = response.getOutputStream();    
outputStream.write(barcodePdfBytes, 0, barcodePdfBytes.length);

I further analysed from my end and tried to sanitised entire byte[] but it somehow corrupt PDF format and user is not getting pdf inresponse.

Looking for some help here.Would appreciate any pointer. Thanks In Advance.

Petter Friberg
  • 21,252
  • 9
  • 60
  • 109
Gautam
  • 3,276
  • 4
  • 31
  • 53
  • Can you add a larger part of the code so we can see the suspected flow of code? For example, if there is a parameter that comes from a user. Also, what is outputStream? – yaloner Nov 27 '17 at 20:09
  • mark as false positive or export directly to stream. – Petter Friberg Nov 27 '17 at 20:13
  • @PetterFriberg Could you please elaborate more on this,I am actually new to Jasper report – Gautam Nov 27 '17 at 20:16
  • 1
    @Gautam check out this depending on version your can export directly to stream https://stackoverflow.com/questions/3746649/jasperreports-how-to-call-the-report-in-jsp-page. Also follow yaloner suggestion and included suspected flow of code, I'm not an expert in checkmarx since I use sonar – Petter Friberg Nov 27 '17 at 20:32
  • @PetterFriberg Thanks for your input.It seems to be working now.Could you please post as an answer so i can accept the same.Thanks once again :) – Gautam Nov 28 '17 at 12:22
  • @gautam great!, feel free to post an own answer with your working solution. I can't test so I prefer to not post answer – Petter Friberg Nov 28 '17 at 12:39
  • @Gautam which content-type are you using and where? – yaloner Nov 29 '17 at 20:38

1 Answers1

1

If you're writing a PDF file to the stream, then there shouldn't be any HTML encoding of the data because it's not an HTML file. Write the PDF as is to the output stream with the application/pdf content-type header.

Checkmarx might not see that you're writing a PDF file so can give a false report.

fgb
  • 18,439
  • 2
  • 38
  • 52