1

我已经对我的项目运行了复选标记安全检查,并为“cstmt.execute();”行获得了 A2-Broken 身份验证和会话管理警告 我知道它向我展示了 owasp 提到的前 10 个漏洞之一。

需要帮助来了解我的代码有什么问题以及如何解决这个问题。

public int editUser(UserBean userParams) throws CustomException{

        String query = DbConstants.EDITUSER_PROC;
        Connection con = null;
        CallableStatement cstmt=null;
        OracleConnection oracleConnection = null;
        ARRAY arrayToPass =null;
        int status = 0;
        String cntrctId = null;
        String keyAcc = null;
        String roles = null;
        String pnl = null;

        if(!"Y".equals(userParams.getAllContrctFlag())){
            cntrctId = Arrays.toString(userParams.getContractId().toArray()).replace("[", "").replace("]", "").trim();
            keyAcc = Arrays.toString(userParams.getKeyAcName().toArray()).replace("[", "").replace("]", "").trim();
        }

        roles = Arrays.toString(userParams.getUserRole().toArray()).replace("[", "").replace("]", "").trim();
        pnl = Arrays.toString(userParams.getDefaultPnl().toArray()).replace("[", "").replace("]", "").trim();

        logger.debug("Edit User cntrctId,KeyAcc, roles : "+cntrctId+"\n"+keyAcc+"\n"+roles);

        try {
            con = jdbcTemplate.getDataSource().getConnection();

            if(con.isWrapperFor(OracleConnection.class)){
                oracleConnection =con.unwrap(OracleConnection.class);                     
                ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",oracleConnection);
                arrayToPass = new ARRAY(ad, oracleConnection, userParams.getWidgets().toArray());
            }else{
                ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",con);
                arrayToPass = new ARRAY(ad, con, userParams.getWidgets().toArray());
            }

            cstmt = con.prepareCall(query);
            cstmt.setString(1, userParams.getSso());
            cstmt.setString(2, roles);
            cstmt.setString(3, userParams.getUserType());
            cstmt.setString(4, keyAcc);
            cstmt.setString(5, cntrctId);
            cstmt.setString(6, userParams.getAdminSso());
            cstmt.setString(7, pnl);
            cstmt.setString(8, userParams.getAllContrctFlag());
            cstmt.setObject(9, arrayToPass);
            cstmt.execute();
            status = 1;
        }catch(Exception ex){
            logger.error("Error while getting Edit User ---> "+ex.getMessage());
            status = 0;
            throw new CustomException(ex.getMessage());
        }finally{
            if(cstmt != null){
                try {
                    cstmt.close();
                } catch (SQLException se) {
                    logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
                }
            }
            if(con != null){
                try {
                    con.close();
                } catch (SQLException se) {
                    logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
                }
            }
        }
        return status;
    }

上述方法存在于 DAO 层并被服务级别存在的另一个方法调用,该方法接受 REST 调用和输入为 JSON 将 JSON 转换为 Userbean 对象并作为参数传递给 editUser

4

1 回答 1

1

Checkmarx 工具发现在没有用户授权迹象的情况下访问数据库。

如果在您的情况下,授权过程正确完成(例如通过使用roles参数或getAdminSso()方法),您可能可以将此结果标记为不可利用。

于 2016-08-24T09:52:01.057 回答