@RequestMapping("/redirect")publicvoidredirect(@RequestParam()Stringurl,Stringa)throwsMalformedURLException{URLnewUrl=newURL(url);// Bad: User-controlled input used directlyURLnewUrl=newURL(url+"/path");}@RequestMapping("/api")publicvoidapiEndpoint(@RequestParamStringhost){Stringurl1="http://"+host+"/api/resource";// Bad: User input concatenated into URLStringurl2="http://".concat(host);Stringurl3="https://";url3+=host;Stringurl4=String.format("https://%v",host);Stringurl5="https://%v";Stringurl6=String.format(url5,host)}@RequestMapping("/fetch")publicvoidfetchData(@RequestParamStringendpoint){StringBuildersb=newStringBuilder("https://example.com");sb.append(endpoint);// Bad: User input appended to base URL}
Compliant Code Examples
@RequestMapping("/safe-redirect")publicvoidsafeRedirect(@RequestParamStringpath)throwsMalformedURLException{StringbaseUrl="https://safe.example.com";URLnewUrl=newURL(baseUrl+URLEncoder.encode(path,"UTF-8"));// Good: User input only affects the path, not the host}
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- java-security # Rules to enforce Java security.