4

I have sample Spring boot controller code like followings:

@Slf4j
@RestController
public class PersonController {
    private final PersonService PersonService;

    public PersonController(PersonService PersonService) {
        this.PersonService = PersonService;
    }

    @PostMapping(value = "/v1/Person", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
    @ResponseBody
    public PersonResponseDto Person(@Valid @RequestBody PersonRequestDto PersonRequestDto,
                                            @RequestHeader(value = "x-correlation-id", required = false) String correlationId) {

          String something = HtmlUtils.htmlEscape(PersonRequestDto.getSomething());
          PersonRequestDto newRequestDto = PersonRequestDto.builder()
                  .something(something)
                  .date(PersonRequestDto.getDate())
                  .build();
        return PersonService.save(newRequestDto);
    }
}


public class PersonRequestDto {
    @NotBlank
    private String something;

    private LocalDate date;
}

Even I did a sanitized on a string field something, the checkmarx still complains:

flows through the code without being properly sanitized or validated and is eventually displayed to the user in method doSomething

I don't know what's the point or how to sanitized the java LocalDate type field and also for XSS requirement there is no need to sanitized field other than string.

Anyone knows how to write code to make checkmarx happy? I know this is frustrated to write some code just let some tool works.

securecodeninja
  • 2,497
  • 3
  • 16
  • 22
ttt
  • 3,934
  • 8
  • 46
  • 85
  • @0xadecimal well it's not really duplicated, in that one only concern is string type but checkmarx need to sanitized all type of fields. – ttt Oct 07 '19 at 11:57
  • ok fair enough. Do you know for certain that it is complaining about the Date ? – 0xadecimal Oct 07 '19 at 12:01
  • Yes, of course. I tweak the fields one by one and then come up with those. – ttt Oct 07 '19 at 12:03
  • I agree it's not ideal adding code just to keep checkmarx happy, however it might not be a bad idea to add some validation to the date field. You could add the NotNull annotation at a minimum , or if the date represents a persons birthday you could also add @Past ? Maybe that will be enought to keep checkmarx happy. – 0xadecimal Oct 07 '19 at 12:22
  • Yes I had all those validations stuff but still can't make checkmarx happy. – ttt Oct 08 '19 at 05:30
  • as you said, Checkmarx complain about a display in method doSomething. I think that the problem is about how Cx will search for the query and flow. I think (based on my experience on CX and what you said => XSS), you must encode the data in the output. If you post the doSomething method, this could help too – SPoint Oct 10 '19 at 08:31
  • I suspect a bad implementation of one Checkmarx rules. I notice some other things like this before, and I have to have to add the type to a custome rule for CX. – SPoint Nov 14 '19 at 10:44

0 Answers0