0

I ran a CheckMarx Scan on my repository and it gave quite many potential Reflected XSS attack results. Here is the code for my controller :

@PutMapping("/calculate")
    public UpdatedResponse calculateModel(
            @RequestBody ModelDocument modelDocument, @RequestParam String clientFirstName,
            @PathVariable String clientId, @PathVariable String clientLastName
 ) {

        // Sanitize the parameters

        modelDocument = checkForCSS(modelDocument); // NOT ACCEPTING THIS
        clientId = StringEscapeUtils.escapeHtml4(clientId);
        clientFirstName = StringEscapeUtils.escapeHtml4(clientFirstName);
        clientLastName = StringEscapeUtils.escapeHtml4(clientLastName);
.....
}

While I was able to resolve the warnings for clientId, clientFirstName and clientLastName since they were all string variables. But how do I do it for modelDocument since it is a user defined variable in itself and further has various strings, maps etc. defined inside of it.

The method checkForCSS is defined as below but is not being recognized by the scan:

public static <T> T checkForCSS(T t) {
        Gson gson = new GsonBuilder().serializeSpecialFloatingPointValues().create();
        String agendaModelStr = sanitize(gson.toJson(t));
        return gson.fromJson(agendaModelStr, (Type) t.getClass());
    }

public static String sanitize(String string) {
        return Jsoup.clean(string, "", Whitelist.none(), new Document.OutputSettings().prettyPrint(false));

Any help would be appreciated. Thanks!

DujSn28
  • 13
  • 3
  • XSS is an output issue, not an input issue. Is that method returning JSON or HTML? – fgb Sep 24 '21 at 13:15
  • @DujSn28 you will have to use Checkmarx CxAudit to create a custom Checkmarx query (overriding the base Reflected XSS Checkmarx query) to recognize your checkCSS method as a valid sanitizer – securecodeninja Oct 14 '21 at 00:53

1 Answers1

-1

try this:

ESAPI.encoder().encodeForHTML(clientFirstName);

and do it for all your query params.

mosab
  • 207
  • 1
  • 4
  • 13