2

这段代码:

    InternetAddress[] myAdrs = getAdrs(message.getToAddresses());
    for (int i = 0; i < myAdrs.length; i++) {
        String s = myAdrs[i].getAddress();
        s = s.replace("\r","").replace("\n","").replace("%0A","").replace("%0a","").replace("%0D","").replace("%0d","");
        InternetAddress adr = new InternetAddress( s, false );
        // --> Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE ID 93)
        lMessage.addRecipient(Message.RecipientType.TO, adr);
    }

仍然给我 CWE ID 93 虽然我用 s=s.replace(\r.... 删除了 s 中的任何不需要的字符串。这个缺陷?我错过了什么?任何提示将不胜感激!

4

1 回答 1

1

当 Veracode 不接受手工解决方案(例如使用 StringEscapeUtils 和简单的替换方法)时,我遇到了这种情况。尝试 ESAPI 库。Veracode 通常接受 ESAPI 作为可信工具来解决漏洞。例如:

//need to handle ValidationException
String s = ESAPI.validator().getValidInput("User Email", myAdrs[i].getAddress(), "Email", 255, true);
InternetAddress adr = new InternetAddress( s, false );

并将正则表达式测试您的电子邮件到 validation.properties (或您在文件中指定的其他ESAPI.properties文件 as Validator.ConfigurationFile=validation.properties)文件作为Validation.Email属性。例如:

Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,6}$
于 2017-12-05T14:29:04.247 回答