我们在nodejs中有以下代码
int i = _.get(req.body, "i")
res.send(i);
当 checkmarx 找到上面的代码时,它说我应该被清理和验证。谁能帮忙解决这个问题?
提前致谢
问问题
4124 次
2 回答
2
如果你是这个意思:
int i = _.get(req.body, "i");
res.send(i);
然后似乎 Checkmarx 设法找到了反射 XSS 漏洞。
当您在来自用户的请求中获得不受信任的输入时,它可能包含可能在响应中发送并在客户端运行的恶意脚本。这称为反射跨站点脚本 (XSS)。
预防取决于许多因素。OWASP 写了一个很好的指南: https ://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
于 2016-08-25T11:50:16.533 回答
0
int i = _.get(req.body, "i") res.send(i);
Issue :
Here you are setting your response fetching value from request body, which embeds untrusted data in the generated output with send. This untrusted data is embedded straight into the output without proper sanitization.
Solution :
Sanitize request body attributes before setting it to response
requestSanitizer.setOptions({
body :{
name : [validator.escape,validator.ltrim],
test : [validator.ltrim]
}
});
you must first import these packages :
var requestSanitizer = require('request-sanitizer')();
var validator = requestSanitizer.validator;
and then finally set requestSanitizer as an additional param to API call
于 2021-02-17T05:11:56.000 回答