CheckMarkx :: HRA_JAVA_CGI_REFLECTED_XSS_ALL_CLIENTS issue

Question

I am struggling with one of the CheckMarx vulnerabilities. I need some guidance to support this. Below is my code :

try(Bufferedreader in = new BufferedReader(new InputStreamReader(con.getInputStream()))){
    String content = null;
    while((content = in.readLine()) != null) {
        // Logic to Parse JSON data and use it.
    }     
}

Here con is (HttpurlConnection) new URL("some url").openConnection().

So, checkmarx is highlighting issue at in.readLine().

Workarounds I tried:

1: StringEscapeUtils.unescapeJson(in.readLine()), it's not helping.

2: Used in.lines().collect(Collectors.joining()) in place of in.readline() by reading somewhere in google. It helped to fix this but introduced a new one at con.getInputStream() (the same vulnerability).

Please help to fix this issue. Thanks in advance.

Answer 1

Technically it should be StringEscapeUtils.escapeJson(in.readLine()) not StringEscapeUtils.unescapeJson(in.readLine()). The intent is to output encode to prevent XSS, not the other way around.

try(Bufferedreader in = new BufferedReader(new InputStreamReader(con.getInputStream()))){
    String content = null;
    while((content = StringEscapeUtils.escapeJson(in.readLine())) != null) {
        // Logic to Parse JSON data and use it.
    }     
}

Still, I don't think Checkmarx will recognize this as a sanitizer, I can only see that it only looks for escapeXml, escapeHtml, escapeHtml3, escapeHtml4 methods under StringEscapeUtils.

Work with your security team to update the Checkmarx query to include escapeJson or you can use an alternative that Checkmarx recognizes such as the replace method that replaces malicious tags <,>,</,/> but this is not a full proof solution though to be considered a robust secure code