我低于 checkmarx 中突出显示的中等漏洞:
第#行中 r-config\com\mycompapi\RController.java 的 rModificationRequest 可能无意中允许在第# 行的对象 r-config\com\mycompservices\RService.java 中设置 modifyR 中的 saveAndFlush 的值。
@RestController
@RequestMapping(path = "/api/v1/r", produces = MediaType.APPLICATION_JSON_VALUE)
@Api(tags = "R", value = "Endpoints for managing all the operations related to r")
@Slf4j
@Validated
public class RController {
private final RService rService;
private final ModelMapper modelMapper;
@Autowired
public RController(final RService rService,
final ModelMapper modelMapper) {
this.rService = rService;
this.modelMapper = modelMapper;
}
@ApiOperation(value = "Modify r information", nickname = "modifyR")
@PatchMapping
@ResponseStatus(HttpStatus.OK)
public RResponse modifyRInfo(
@RequestParam(name = "r-name") @NotBlank
@Size(max = 256, message = "r name should have less than or equals to {max} characters") final String rName,
@Valid @RequestBody RModificationRequest rModificationRequest) {
final RModificationDto rModificationDto = modelMapper.map(rModificationRequest,
RModificationDto.class);
final R r = rService.modifyR(rName, rModificationDto);
return modelMapper.map(r, RResponse.class);
}
}
@Service
public class RService {
private final RRepository rRepository;
@Autowired
public RService(final RRepository rRepository) {
this.rRepository = rRepository;
}
@Transactional
@PublishNotification(operationType = OperationType.MODIFY)
public R modifyR(final String rName, final RModificationDto rModificationDto) {
final R r = findByRName(rName);
final R modifiedR = RServiceHelper.getModifiedR(r, rModificationDto);
rRepository.saveAndFlush(modifiedR);
return modifiedR;
}
在这里做什么还是误报?我也没有看到任何关于声纳立方体扫描有或可能在我不知道的地方做什么的评论 - 我是 checkmarx 的新手。