Checkmarx: Unsafe object binding

Question

We are using Java Spring framework. We have an endpoint for passing email object.

    @RequestMapping(method = RequestMethod.POST, path = "/api/messaging/v1/emailMessages/actions/send")
String sendEmail(@RequestBody Email email);

Here checkmarx says: The email may unintentionally allow setting the value of cc in LinkedList<>, in the object Email.

Email Object is as follow:

public class Email {

private List<String> bcc = new LinkedList<>();

private List<String> cc = new LinkedList<>();

private String content;

private ContentType contentType = ContentType.TXT;

private String from;

private String returnPath;

private Date sent;

private String subject;

private List<EmailAttachment> attachments = new LinkedList<>();

private List<String> to = new LinkedList<>();

public List<String> getBcc() {
    return bcc;
}

public void setBcc(String bcc) {
    this.bcc = Collections.singletonList(bcc);
}

public void setBcc(List<String> bcc) {
    this.bcc = bcc;
}

public List<String> getCc() {
    return cc;
}

public void setCc(String cc) {
    this.cc = Collections.singletonList(cc);
}

public void setCc(List<String> cc) {
    this.cc = cc;
}

public String getContent() {
    return content;
}

public void setContent(String content) {
    this.content = content;
}

public ContentType getContentType() {
    return contentType;
}

public void setContentType(ContentType contentType) {
    this.contentType = contentType;
}

public String getFrom() {
    return from;
}

public void setFrom(String from) {
    this.from = from;
}

public String getReturnPath() {
    return returnPath;
}

public void setReturnPath(String returnPath) {
    this.returnPath = returnPath;
}

public Date getSent() {
    return sent;
}

public void setSent(Date sent) {
    this.sent = sent;
}

public String getSubject() {
    return subject;
}

public void setSubject(String subject) {
    this.subject = subject;
}

public List<String> getTo() {
    return to;
}

public void setTo(String to) {
    this.to = Collections.singletonList(to);
}

public void setTo(List<String> to) {
    this.to = to;
}

public List<EmailAttachment> getAttachments() {
    return attachments;
}

public void setAttachments(List<EmailAttachment> attachments) {
    this.attachments = attachments;
}

public boolean equals(Object object) {
    boolean equals = false;
    if (object instanceof Email) {
        Email that = (Email) object;
        equals = Objects.equal(this.from, that.from)
                && Objects.equal(this.to, that.to)
                && Objects.equal(this.subject, that.subject)
                && Objects.equal(this.content, that.content);
    }

    return equals;
}

}

I don't understand these findings, how to solve this.

how did you resolve this? or did you mark it as false-positive — Mohit, Jul 28 '21 at 05:50

score 0 · Answer 1 · answered Feb 19 '23 at 13:51

0

I have added Lombok with @Getter & @Setter annotation to resolve this issue.

answered Feb 19 '23 at 13:51

VK Raj

1

Please consider explaining your resolution, It current is not clear what steps to take to make use of the answer. – James Risner Feb 19 '23 at 14:15
As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Feb 24 '23 at 08:33

Checkmarx: Unsafe object binding

1 Answers1