Trust Boundary Violation flaw in Java project

Question

For the below mentioned code, I'm getting Trust Boundary Violation in the CheckMarx report.

Error description - Method 'getResponse' gets user input from element request. This element’s value flows through the code without being properly sanitized or validated and is eventually stored in the server-side Session object, in 'parseRequest' method.**

Code -

@Context
HttpHeaders httpHeader;

void parseRequest(SomeRequestType inputRequest) {
    HashMap<String, Data> requestData = inputRequest.getRequestData(httpHeader);
    if (requestData != null) {
        if (Strings.isNullOrEmpty(inputRequest.getId())) {
            Data data = requestData.get("data");
            var dataID = data.getID();
            if ((dataID != null) && Pattern.matches("[0-9]+", dataID)) {
                inputRequest.setId(dataID);
                ThreadContext.put("ID", dataID);
            }
        }
    }
}

I am getting checkmarx vulnerability at below line for without being properly sanitized or validated

ThreadContext.put("ID", dataID);

Could some please help me, how to properly sanitize the above line.

Can we use ESAPI.validator().getValidInput(....) on 'requestData' or 'data' field? — , Aug 01 '18 at 20:10
Is there any more info I can add to the post for better understanding and making it more responsive? — , Aug 02 '18 at 00:00

score 2 · Answer 1 · answered Aug 20 '18 at 15:46

If you know for sure that dataID is a number, convert it to integer/long right away, like this:

int dataIDasNumber = Integer.parseInt(dataID);

And use it like int/long here:

inputRequest.setId(dataIDasNumber);
ThreadContext.put("ID", dataIDasNumber);

Then you don't need to do this:

Pattern.matches...

And your checkmarx violation should go away.

Trust Boundary Violation flaw in Java project

1 Answers1