iT邦幫忙

0

JAVA程式碼一直被foritfy檢出有path manipulation

我開發的JAVA程式碼在給Fortify檢測後,一直被查出有path manipulation…

上網查大都是教人用文字白名單過濾,但我有兩個path manipulation問題,

一是isr= new InputStreamReader 這行被檢出,這看似無法套用文字過濾…

二是 line = cleanString (br.readLine()); 這行,我本來想用文字過濾,但想到readline進來的網路資料的文字不會只有英文,還有中文,
我無法全都列進白名單,只能在確認它其中有success的文字後跳過。

以下的方法都無法騙過Fortify,不知版上有沒有人能給小弟幫助,謝謝。

public static void main(String[] args)  {

	String checkurl = "https://opendata.tw/";

	URL connectto = new URL(checkurl);
	HttpsURLConnection conn = (HttpsURLConnection) connectto.openConnection();

	try {
	conn.connect();}catch (IOException e){}

	InputStreamReader isr = null;
	if (conn.toString().contains("https://opendata.tw/")) {

	if (cleanConn (conn.getInputStream()) != null){
	isr= new InputStreamReader ( cleanConn(conn.getInputStream()),"UTF-8" );		}

	BufferedReader br = new BufferedReader(isr);
	StringBuilder sb = new StringBuilder();			
		            
	String line;
	line = cleanString (br.readLine());



}


public static String cleanString(String path) {
				
				HashMap<String, String> map = new HashMap<String, String>();
				  map.put("a", "a");
				  map.put("b", "b");
				  map.put("c", "c");
				  map.put("d", "d");
				  map.put("e", "e");
				  map.put("f", "f");
				  map.put("g", "g");
				  map.put("h", "h");
				  map.put("i", "i");
				  map.put("j", "j");
				  map.put("k", "k");
				  map.put("l", "l");
				  map.put("m", "m");
				  map.put("n", "n");
				  map.put("o", "o");
				  map.put("p", "p");
				  map.put("q", "q");
				  map.put("r", "r");
				  map.put("s", "s");
				  map.put("t", "t");
				  map.put("u", "u");
				  map.put("v", "v");
				  map.put("w", "w");
				  map.put("x", "x");
				  map.put("y", "y");
				  map.put("z", "z");
				  
				  map.put("A", "A");
				  map.put("B", "B");
				  map.put("C", "C");
				  map.put("D", "D");
				  map.put("E", "E");
				  map.put("F", "F");
				  map.put("G", "G");
				  map.put("H", "H");
				  map.put("I", "I");
				  map.put("J", "J");
				  map.put("K", "K");
				  map.put("L", "L");
				  map.put("M", "M");
				  map.put("N", "N");
				  map.put("O", "O");
				  map.put("P", "P");
				  map.put("Q", "Q");
				  map.put("R", "R");
				  map.put("S", "S");
				  map.put("T", "T");
				  map.put("U", "U");
				  map.put("V", "V");
				  map.put("W", "W");
				  map.put("X", "X");
				  map.put("Y", "Y");
				  map.put("Z", "Z");
				  map.put(".", ".");
				  map.put(":", ":");
				  map.put("/", "/");
				  map.put("\\", "\\");
				  Character curChar  = null;
				  Character nextChar = null;
				
				  if (path.contains("http")) {
					  map.put("?", "?");
					  map.put("-", "-");
					  map.put("=", "=");
					  map.put("0", "0");
					  map.put("1", "1");
					  map.put("2", "2");
					  map.put("3", "3");
					  map.put("4", "4");
					  map.put("5", "5");
					  map.put("6", "6");
					  map.put("7", "7");
					  map.put("8", "8");
					  map.put("9", "9");
					  //map.put(",", ",");
					  //map.put("\"", "\"");
					  //map.put("[", "[");
					  //map.put("]", "]");
					  //map.put("{", "{");
					  //map.put("}", "}");
					  
				  }
				  
				  if (path.contains("success")) {
					  return path;
				  }else {
					  String temp = "";
					  for (int i = 0; i < path.length(); i++) {
						  try{
								curChar=path.charAt(i);
								nextChar= path.charAt(i+1);
							}catch (Exception e) {}
						  
                          //過濾,避免有../的跳脫字元
                          
						   if (map.get(path.charAt(i)+"")!=null) {
							   if (map.get(path.charAt(i)+"")!=null && curChar == '.' && nextChar !='.') {
								   temp += map.get(path.charAt(i)+"");
							   }else if (map.get(path.charAt(i)+"")!=null && curChar != '.') {
								   temp += map.get(path.charAt(i)+"");
							   }
							   
						   }
					  }
				  
				  
					  return temp;
				  }
					
			}
			
			private static InputStream cleanConn(InputStream inputStream) {
				// TODO Auto-generated method stub
				if (inputStream.toString().contains("sun.net.www.protocol.http.HttpURLConnection")) {
					return inputStream;
				}
				return null;
			}
老司機 iT邦新手 5 級 ‧ 2019-05-27 09:48:56 檢舉
把有問題的程式碼塞到一個jar檔案,原程式就import此jar...
ShaoM iT邦新手 5 級 ‧ 2019-06-19 09:12:03 檢舉
感謝老司機的建議,可是我弄一弄,弄不出來怎麼把自己部份的程式碼打包成jar,然後再import進來給自己呼叫用 (主要是這裡不會),我查找網路上資料,可是大多都只是教怎麼import別人的jar檔而已…
ShaoM iT邦新手 5 級 ‧ 2019-06-21 09:32:56 檢舉
自問自答一下,找到影片教學了,也給其它邦友參考作法:
https://www.youtube.com/watch?v=XmhzSIDSqBE

尚未有邦友回答

立即登入回答