我開發的JAVA程式碼在給Fortify檢測後,一直被查出有path manipulation…
上網查大都是教人用文字白名單過濾,但我有兩個path manipulation問題,
一是isr= new InputStreamReader 這行被檢出,這看似無法套用文字過濾…
二是 line = cleanString (br.readLine()); 這行,我本來想用文字過濾,但想到readline進來的網路資料的文字不會只有英文,還有中文,
我無法全都列進白名單,只能在確認它其中有success的文字後跳過。
以下的方法都無法騙過Fortify,不知版上有沒有人能給小弟幫助,謝謝。
public static void main(String[] args) {
String checkurl = "https://opendata.tw/";
URL connectto = new URL(checkurl);
HttpsURLConnection conn = (HttpsURLConnection) connectto.openConnection();
try {
conn.connect();}catch (IOException e){}
InputStreamReader isr = null;
if (conn.toString().contains("https://opendata.tw/")) {
if (cleanConn (conn.getInputStream()) != null){
isr= new InputStreamReader ( cleanConn(conn.getInputStream()),"UTF-8" ); }
BufferedReader br = new BufferedReader(isr);
StringBuilder sb = new StringBuilder();
String line;
line = cleanString (br.readLine());
}
public static String cleanString(String path) {
HashMap<String, String> map = new HashMap<String, String>();
map.put("a", "a");
map.put("b", "b");
map.put("c", "c");
map.put("d", "d");
map.put("e", "e");
map.put("f", "f");
map.put("g", "g");
map.put("h", "h");
map.put("i", "i");
map.put("j", "j");
map.put("k", "k");
map.put("l", "l");
map.put("m", "m");
map.put("n", "n");
map.put("o", "o");
map.put("p", "p");
map.put("q", "q");
map.put("r", "r");
map.put("s", "s");
map.put("t", "t");
map.put("u", "u");
map.put("v", "v");
map.put("w", "w");
map.put("x", "x");
map.put("y", "y");
map.put("z", "z");
map.put("A", "A");
map.put("B", "B");
map.put("C", "C");
map.put("D", "D");
map.put("E", "E");
map.put("F", "F");
map.put("G", "G");
map.put("H", "H");
map.put("I", "I");
map.put("J", "J");
map.put("K", "K");
map.put("L", "L");
map.put("M", "M");
map.put("N", "N");
map.put("O", "O");
map.put("P", "P");
map.put("Q", "Q");
map.put("R", "R");
map.put("S", "S");
map.put("T", "T");
map.put("U", "U");
map.put("V", "V");
map.put("W", "W");
map.put("X", "X");
map.put("Y", "Y");
map.put("Z", "Z");
map.put(".", ".");
map.put(":", ":");
map.put("/", "/");
map.put("\\", "\\");
Character curChar = null;
Character nextChar = null;
if (path.contains("http")) {
map.put("?", "?");
map.put("-", "-");
map.put("=", "=");
map.put("0", "0");
map.put("1", "1");
map.put("2", "2");
map.put("3", "3");
map.put("4", "4");
map.put("5", "5");
map.put("6", "6");
map.put("7", "7");
map.put("8", "8");
map.put("9", "9");
//map.put(",", ",");
//map.put("\"", "\"");
//map.put("[", "[");
//map.put("]", "]");
//map.put("{", "{");
//map.put("}", "}");
}
if (path.contains("success")) {
return path;
}else {
String temp = "";
for (int i = 0; i < path.length(); i++) {
try{
curChar=path.charAt(i);
nextChar= path.charAt(i+1);
}catch (Exception e) {}
//過濾,避免有../的跳脫字元
if (map.get(path.charAt(i)+"")!=null) {
if (map.get(path.charAt(i)+"")!=null && curChar == '.' && nextChar !='.') {
temp += map.get(path.charAt(i)+"");
}else if (map.get(path.charAt(i)+"")!=null && curChar != '.') {
temp += map.get(path.charAt(i)+"");
}
}
}
return temp;
}
}
private static InputStream cleanConn(InputStream inputStream) {
// TODO Auto-generated method stub
if (inputStream.toString().contains("sun.net.www.protocol.http.HttpURLConnection")) {
return inputStream;
}
return null;
}
已邀請的邦友 {{ invite_list.length }}/5
iThome鐵人賽
看影片追技術