2

API Gateway Pattern在一个Micro services架构中Front End Angular app使用HTTP request我的API Gateway项目,这只是一个ASP.net Core 3.1 Web API项目。目前我只有 2micro services和一个API Gateway,它们都是ASP.net Core 3.1 Web API项目类型。该API Gateway项目具有我的所有控制器micro services。的目的API Gateway只是接收来自适当的请求Front end并发出请求。HTTP RequestMicro service

现在在AccountController.cs我的API Gateway项目中,我有以下代码

/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
    _uri = new Uri(uriString: $"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
    using var result = await _client.GetAsync(_uri);
    var content = await result.Content.ReadAsStringAsync();
    return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
}

在 stackoverflow 上搜索问题后,我在Veracode 社区SSRF找到了以下建议。

Veracode Static Analysis 将报告 CWE 918 的缺陷,如果它可以检测到来自应用程序外部的数据(例如来自用户的 HTTP 请求,也可能是用户上传的文件、数据库数据、Web 服务数据等) ) 能够改变网络请求的性质。

Stackoverflow我发现了以下修复

对于 CWE ID 918,除非您有静态 URL,否则很难让 Veracode 识别您的修复程序。您需要验证成为请求 URL 一部分的所有输入。

这意味着我必须清理我的输入参数OrganizationIdAccountId然后再将它们附加到请求 URL。

还建议了有关veracode 社区的另一个问题

Veracode 静态分析会自动检测到作为此缺陷类别的补救措施的唯一一件事是将输入更改为硬编码

他们提出了查询字符串的解决方案

给定的示例似乎采用模型标识符并将其放在内部请求中使用的 URL 中。我们建议根据您对此数据类型的规则验证 ID(通常应该是字母数字且少于 255 个字符)并在将其附加到 URL 之前对其进行 URL 编码。

在所有这些东西之后,我对我的代码进行了以下更改

  1. 确保 OrganizationId 和 AccountId Guid 不为空
  2. URL 编码字符串

这是更改后的代码

/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
    if (organizationId != Guid.Empty && accountId != Guid.Empty)
    {
        string url = HttpUtility.UrlEncode($"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
        using var result = await _client.GetAsync(url);
        var content = await result.Content.ReadAsStringAsync();
        return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
    }

    return BadRequest();
}

这就是我可以做的所有事情来清理我的输入参数OrganizationIdAccountId但是在所有这些更改之后veracode仍然可以在线识别SSRF缺陷

使用 var result = await _client.GetAsync(url);

4

1 回答 1

1

我找到了解决这个问题的方法,我只是将查询字符串参数附加到 httpClient 的基地址并veracode停止给我错误。

这是解决方案的样子

/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
    if (organizationId != Guid.Empty && accountId != Guid.Empty)
    {
        var httpClient = new HttpClient();

        //Appended the parameters in base address to
        //to fix veracode flaw issue
        httpClient.BaseAddress = new Uri($"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");

        //passing empty string in GetStringAsync to make sure
        //veracode doesn't treat it like modifying url 
        var content = await httpClient.GetStringAsync("");

        return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
    }

    return BadRequest();
}
于 2020-06-19T13:13:38.910 回答