我从客户端获取SUBSCRIPTION_
JSON,我将其转换为String,然后使用gson库将其设置为Model Object.在Fortify安全性上运行代码时,它在下面的代码中给出了Json注入错误,并带有以下消息:
这是错误:
On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
Explanation
JSON injection occurs when:
1. Data enters a program from an untrusted source.
In this case the data enters at getString() in **SubscriptionAction.java** at line 355.
2. The data is written to a JSON stream.
In this case the JSON is written by fromJson() in **ActionHelper.java** at line 159.
SubscriptionAction.java
final String subscriptionJson = subscriptionForm.getString(SUBSCRIPTION_JSON);
ActionHelper.java
public static T jsonToObject(final String jsonString, final Class className) {
T object = null;
if (StringUtils.isNotBlank(jsonString)) {
final Gson gson = (Gson) BeanLocator.getInstance().getBean(GSON);
object = gson.fromJson(jsonString, className);
}
return object;
}
SUBSCRIPTION_JSON – >
{
"subscriptions": [{
"attributeId": "1",
"items": [{
"strId": "ALL",
"nodeType": "G"
}, {
"strId": "VO_ENTRY_TIMING_DELAY",
"nodeType": "L"
}, {
"strId": "O_INVALID",
"nodeType": "L"
}, {
"strId": "O_LINE_INVALID",
"nodeType": "L"
}, {
"strId": "V_INVALID",
"nodeType": "L"
}, {
"strId": "V_ADDRESS_INVALID",
"nodeType": "L"
}]
}, {
"attributeId": "2001",
"items": [{
"strId": "OSTBU",
"nodeType": "L"
}]
}]
}