How to resolve HTTP Parameter Pollution warning?

Question

While checking for findSpecBugs warnings in my scala based application, I encountered:

HTTP Parameter Pollution warning with the message: Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter.

This issue is arising when I am concatenating a URL with a value fetched from the database. Any idea how can I sanitize or validate that value, or is there any other way to resolve this issue?

Does this answer your question? [Java URL encoding of query string parameters](https://stackoverflow.com/questions/10786042/java-url-encoding-of-query-string-parameters) — Joe, Jun 16 '20 at 10:57
Thanks @Joe, this lowered the level of warning to low, but has not removed it completely. — Mansi Babbar, Jun 16 '20 at 11:25

score 2 · Accepted Answer · answered Jun 19 '20 at 08:35

2

You should use URIBuilder and set the setParameter(<param>, <value>). Like the following:

val builder = new URIBuilder(<url>)
    builder.setParameter("pparam1", "value1").setParameter("param2", "value2")
val request = new HttpGet(builder.build())

I hope this answers your question.

answered Jun 19 '20 at 08:35

himanshuIIITian

5,985
6
50
70

1

Thanks @himanshuIIITian for your answer. This really helped and resolved the warning completely. – Mansi Babbar Jun 19 '20 at 10:01
1

URIBuilder will be used in the solution sample for the next version of FSB. – h3xStream Aug 26 '20 at 21:02

How to resolve HTTP Parameter Pollution warning?

1 Answers1