stackoom
  简体   繁体   中英

how to resolve Unchecked Input for Loop Condition checkmarx issue in java

 原文  2020-05-06 10:27:15       java/ security/ checkmarx

Question

I am getting Unchecked Input for Loop Condition checkmarx issue.
I tried recommended code handling but its not working for me.

Checkmarx report's description: 

 Method transformPojoCommon at line 334 of to_web/src/com/toweb/bd/TrainCategoriesBD.java gets user input from element TC_TRAIN_CAT_NAME. This element's value flows through the code without being validated, and is eventually used in a loop condition in getParentTrainTypes at line 162 of to_web/src/com/toweb/dao/TrainCategoriesDAO.java. This constitutes an Unchecked Input for Loop Condition.

I tried below code:

valdiateRequestInput(ESAPI.encoder().
   canonicalize(request.getParameter(TOWebRequestConstants.TC_OBJID).trim()));

private String valdiateRequestInput(String currentPage) {
    try {
        currentPage = ESAPI.validator().getValidInput("HTTP parameter value: ", currentPage, "HTTPParameterValue", 2000, true);
    } catch (Exception e1) {
        log.error("failed to validate HTTP parameter value ", e1);
        throw new IllegalArgumentException("failed to validate HTTP parameter value "+currentPage, e1);
    }
    return currentPage;
}

2 answers

solution1
 0 ACCPTED  2020-06-02 12:45:41

I have fixed these issues by using ESAPI.validator().getValidInteger() or ESAPI.validator().getValidDouble() based on the return type.

Hope this solution will help you too.

solution2
 -1  2021-07-06 11:23:43

This below method just compares the maximum size of String with input(yourString) to skip the input(yourString) if it has infinite length, because if user input(yourString) has infinite length and this input(yourString) if yourString.length() is used somewhere in the while or for loop, then there is a chance of running condition infinite times which is a vulnerability and causes to through exception. So with this approach we can avoid that by throwing a exception message saying to enter a valid string or handling the same as you required.

String yourString = unchecked_input_loop(yourString);

public String unchecked_input_loop(String yourString) {
    if (yourString.length() >= Integer.MAX_VALUE) {
        //if you need to throw the exeption saying OutOfMemoryError you can this, or else you can just return NULL
        throw new RuntimeException("Enter a valid yourString");
    }
    
    return yourString;
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Unchecked Input for Loop Condition - CheckMarx error for LocalDate Checkmarx Unchecked Input Loop from ServletRequest Input Stream unchecked input for loop condition checkmarx - How to resolve Stored Absolute Path Traversal issue? Java while loop condition issue How to resolve unchecked call to compareTo(T) without using generics in Java How to resolve the sonar issue “Correctness - This method continues a loop after finding an equality condition ” How to resolve Java Certificate Issue? Code injection issue for class.forname in Java during Checkmarx scan Checkmarx Java fix for Log Forging -sanitizing user input
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM