如何解决SONAR指出的session.setAttribute()中的信任边界冲突?
[英]How to Solve Trust Boundary Violation in session.setAttribute() point out by SONAR?
问题描述
I am getting this error as SONAR violation in these line . 
在这些行中,我收到此错误,因为它违反了SONAR。 How to solve this? 如何解决呢?
HttpSession session = this.globals.getHTTPServletRequest()
.getSession();
session.setAttribute("CONTEXT",this.globals.getHTTPServletRequest().getContextPath());
//issue is in this line
Make sure the user is authenticated before this data is stored in the session. 在将此数据存储在会话中之前,请确保用户已通过身份验证。
This is SONAR output for that line 这是该行的SONAR输出
{ {
Rule 规则
Changelog Untrusted data should not be stored in sessions Data in a web session is considered inside the "trust boundary". Changelog不可信数据不应存储在会话中Web会话中的数据被视为在“信任边界”内。 That is, it is assumed to be trustworthy. 即,假定它是可信赖的。 But storing unvetted data from an unauthenticated user violates the trust boundary, and may lead that that data being used inappropriately. 但是,存储未经身份验证的用户的未经审查的数据会违反信任边界,并可能导致该数据的使用不当。 This rule raises an issue when data from Cookies or HttpServletRequests is stored in a session. 当来自Cookie或HttpServletRequests的数据存储在会话中时,此规则会引起问题。 Noncompliant Code Example 不兼容的代码示例
login = request.getParameter("login");
session.setAttribute("login", login); // Noncompliant
See MITRE, CWE-501 - Trust Boundary Violation} 参见MITRE,CWE-501-违反信任边界}
1 个解决方案
解决方案1
0 已采纳 2017-05-10 17:56:28
我们必须使用“ login”作为字符串LOGIN =“ login”就是这样,它消除了SONAR违规,或者由于它是硬编码,因此您也可以使用属性文件或xml文件来传递它
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.