How to sanitize and validate user input to pass a Checkmarx scan

Asked 13/8, 2015 at 9:54 Answered 31/1, 2019 at 21:18

Solved java security code-analysis static-code-analysis checkmarx

I have an endpoint that receives a String from the client as seen below:

@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
    String y = myService.process(x);
    return Response.status(OK).entity(y).build();
}

Checkmarx complains that this element’s value then "flows through the code without being properly sanitized or validated and is eventually displayed to the user in method doSomething"

Then I tried this:

@GET
@Path("/{x}")
public Response doSomething(@PathParam("x") String x) {
    if (StringUtils.trimToNull(x) == null || x.length() > 100) { 
        throw new RuntimeException(); 
    }
    x = x.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
    String y = myService.process(x);
    y = y.replace("'", "").replace("`", "").replace("\\", "").replace("\"", "")
    return Response.status(OK).entity(y).build();
}

But it still considers this a high severity vulnerability.

How do I properly sanitize or validate to pass a Checkmarx scan?

Grekin answered 13/8, 2015 at 9:54 Comment(1)

I am facing the same issue and even after trying y =HtmlUtils.htmlEscape(x) – Medico 29/5, 2020 at 8:15

HtmlUtils from spring-web got the job done with:

HtmlUtils.htmlEscape(x)

Maven dependency:

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-web</artifactId>
    <version>5.1.7.RELEASE</version>
</dependency>

Grekin answered 13/8, 2015 at 11:37 Comment(2)

it worked for me , my issue is sonar is giving XSS issue on the input of type String for one of the method in controller class , i did leading trailing whitepsaces ,but still issue is present , so i used HtmlUtils.htmlEscape and it worked fine for me – Clique 26/12, 2019 at 5:43

Does this work only with Spring 5? I tried adding to the path parameter string. But I still get the same issue in check marx – Medico 28/5, 2020 at 22:31

in .Net framework > 4.0 use AntiXSS

AntiXssEncoder.HtmlEncode()

Kellsie answered 31/1, 2019 at 21:18 Comment(1)

it has to be applied to property by property or some common way to achieve this? – Tangerine 15/11, 2021 at 5:39

Recommended topics

Hot tags