Veracode insertion of sensitive information into sent data (CWE 201) using HttpClient.GetAsync()

Question

I have a MVC application. I have a generic method that does HttpClient GetAsync in which there is a low veracode flaw on this line

 HttpResponseMessage response = client.GetAsync(client.BaseAddress).Result;

Here is he Method.

 public static async Task<R?> SendSync<R>(string url)
        {
            HttpClient client = new HttpClient();
            R? value = default;

            client.BaseAddress = new Uri(url);

            client.DefaultRequestHeaders.Accept.Clear();
            client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

            HttpResponseMessage response = client.GetAsync(client.BaseAddress).Result;

            if (response.IsSuccessStatusCode)
                value = await response.Content.ReadAsJsonAsync<R>();
            return value;
        }

How can I solve it?

thanks

score 0 · Answer 1 · answered Jan 25 '23 at 23:19

Basically, Veracode is flagging this because of the possibility of exposing sensitive information over a network. You would have to ensure that you're not and if you're, discuss with your security team for a recommended approach, to securing your information.

In the case where you are not sending sensitive information, discuss with your security team, explaining that you're not and how you guys can go around mitigation(For more information dive here).

You can also go through a similar question in the Veracode community here.

score 0 · Answer 2 · answered Mar 02 '23 at 19:48

0

I solve this

Once I have set this line

client.BaseAddress = new Uri(url);

the line

HttpResponseMessage response = await client.GetAsync(client.BaseAddress);

can we replaced with this

 HttpResponseMessage response = await client.GetAsync("");

answered Mar 02 '23 at 19:48

Diego

2,238
4
31
68

Veracode insertion of sensitive information into sent data (CWE 201) using HttpClient.GetAsync()

2 Answers2