如何修复 spring restTemplate 中的“服务器端请求伪造”问题
[英]How to fix "Server-Side Request Forgery" issue in spring restTemplate
问题描述
Getting "Server-Side Request Forgery" issue in Fortify report while using spring restTemplate.
使用 spring restTemplate 时在 Fortify 报告中出现“服务器端请求伪造”问题。
I am making a call using restTemplate to some other REST service and passing this url from my controller class.我正在使用 restTemplate 调用其他一些 REST 服务并从我的控制器类传递这个 url。 The url is hardcoded in my controller and not user-controlled data. url 是硬编码在我的控制器中,而不是用户控制的数据。
HttpEntity<R> response = restTemplate.exchange(uri, HttpMethod.POST, entity,
parameterizedTypeReference);
Not sure how to fix this issue.不知道如何解决这个问题。
2 个解决方案
解决方案1
3 已采纳 2018-10-18 20:55:04
SSRF is exploited by an attacker controlling an outgoing request that the server is making. SSRF被控制服务器发出的传出请求的攻击者利用。 If uri is indeed hard-coded, then the attacker has no ability to influence where the request is going, so it would indeed look to be a false positive.如果uri确实是硬编码的,那么攻击者就无法影响请求的去向,因此它看起来确实是误报。 However, although Fortify is known for false positives, I have not seen it make that type of mistake (ie claimed SSRF despite a hard-coded URI), so I am a bit surprised to hear it.然而,虽然 Fortify 以误报而闻名,但我还没有看到它犯那种类型的错误(即,尽管有硬编码的 URI,但声称 SSRF),所以我听到它有点惊讶。 Have you checked the whole source-to-sink trace that Fortify provides?您是否检查了 Fortify 提供的整个源到接收器跟踪? If it is reporting only that one line as the source and sink, then yes it is a false positive.如果它只报告那一行作为源和接收器,那么是的,它是一个误报。 If there is more, then it would be helpful if you provided the full trace.如果还有更多,那么如果您提供完整的跟踪记录会很有帮助。
解决方案2
0 2018-10-18 09:43:25
这是来自您的 SAST 扫描仪的 FalsePositive
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.