HP Fortify:ASP.NET不良实践:会话中存储的非可序列化对象
[英]HP Fortify : ASP.NET Bad Practices: Non-Serializable Object Stored in Session
问题描述
The method set_UserActiveEnvironments() in HttpContextHelper.cs stores a non-serializable object as an HttpSessionState attribute on line 47, which can damage application reliability 
HttpContextHelper.cs中的方法set_UserActiveEnvironments()在第47行将一个不可序列化的对象存储为HttpSessionState属性,这可能会损害应用程序的可靠性
By default, ASP.NET servers store the HttpSessionState object, its attributes and any objects they reference in memory. 默认情况下,ASP.NET服务器存储HttpSessionState对象,其属性以及它们在内存中引用的任何对象。 This model limits active session state to what can be accommodated by the system memory of a single machine. 此模型将活动会话状态限制为单个计算机的系统内存可以容纳的状态。 In order to expand capacity beyond these limitations, servers are frequently configured to persistent session state information, which both expands capacity and permits the replication across multiple machines to improve overall performance. 为了扩展超出这些限制的容量,服务器经常配置为持久会话状态信息,这些信息既可以扩展容量,又可以跨多台计算机进行复制,从而提高整体性能。 In order to persist its session state, the server must serialize the HttpSessionState object, which requires that all objects stored in it be serializable. 为了保持其会话状态,服务器必须序列化HttpSessionState对象,这要求存储在其中的所有对象都是可序列化的。
Why is it showing that as a vulnerability, and how do I fix it? 为什么它显示为漏洞,我该如何解决?
2 个解决方案
解决方案1
1 2017-02-08 18:03:31
Mohanraj, maybe you've already found the solution, but below are a plausible explanation: Mohanraj,也许你已经找到了解决方案,但下面是一个看似合理的解释:
There are some false positive that HP Fortify indicates, and that is the why you need to analyze case by case on every vulnerability it indicates you, and that's the why it have a classification list for you analyze if the vulnerability found is a real threat or a false positive. HP Fortify表示存在一些误报,这就是为什么您需要逐个分析它指示您的每个漏洞,这就是为什么它有一个分类列表供您分析是否发现漏洞是真正的威胁还是误报。
In this particular case, to heal the vulnerability you just need to decorate the class you are trying to transport / send to Session as [Serializable], which is higly recommendable when using session to store data inside your application. 在这种特殊情况下,为了修复漏洞,您只需要将您尝试传输/发送到Session的类装饰为[Serializable],这在使用会话在应用程序中存储数据时是非常值得推荐的。
Check on this article by Piet Obermeyer and Jonathan Hawkins which explains better the use of Serialization. 查看Piet Obermeyer和Jonathan Hawkins 撰写的这篇文章 ,它更好地解释了序列化的使用。
Hope this helps. 希望这可以帮助。
解决方案2
0 2018-03-16 15:44:26
I think Fortify misinterprets set_accessor_declaration in C#. 我认为Fortify在C#中误解了set_accessor_declaration 。 The finding looks like Fortify could not link the type of the value keyword to the type of the property. 该发现看起来像Fortify无法将value关键字的类型链接到属性的类型。
https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/classes#accessors https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/classes#accessors
Attempting to interpret the finding as if the Session property itself needs a Serializable attribute seems misdirected. 试图将发现解释为Session属性本身需要Serializable属性似乎是错误的。 A how-to article on different serialization modes in ASP.NET tells me that session serialization applies to the Session property's contents rather than the property as a whole. ASP.NET中不同序列化模式的how-to文章告诉我,会话序列化适用于Session属性的内容而不是整个属性。
https://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net https://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.