服务器端请求伪造漏洞

Question

I have a RESTful service controller that requests another RESTful service

@ResponseBody
@RequestMapping(value = "/headerparameters/{instanceId}", method = RequestMethod.DELETE)
public RestContainerFormBean passivizeHeaderParameter(@PathVariable String instanceId) throws GenericException, IOException {

    String url = proactiveURL + "/customerheaders/" + instanceId;
    if(isSecurityCheckOK(url)){
        ResponseEntity<CustomerHeaderParameterBean> response = restTemplate.exchange(url, HttpMethod.DELETE, new HttpEntity<>(new HttpHeaders()), CustomerHeaderParameterBean.class);
        CustomerHeaderParameterBean result = response.getBody();
        setButtonActivity(result);
        l10nOfValue(result);
        return new RestContainerFormBean(result);
    } else{
        throw new IOException();
    }
}

This code can not pass SonarQube policy.

Refactor this code to not construct the URL from tainted,

User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. A remote server making requests to URLs based on tainted data could enable attackers to make arbitrary requests to the internal network or to the local file system.

The problem could be mitigated in any of the following ways:

Validate the user provided data based on a whitelist and reject input not matching. Redesign the application to not send requests based on user provided data.

How can I pass the policy by sticking on REST conventions ?

Answer 1

使用 UriComponentsBuilder 对 URL 进行编码，而不是使用原始 URL。