我正在尝试修复 HP Fortify Scan 针对此代码返回的“Header Manipulation”问题。我不知道文件在上传过程中是否已经过验证(我认为没有)。我尝试使用 RegEx 来验证文件名但没有成功。 任何人都可以帮助我吗?
b = uploadedFiles.getFilecontent().getBytes(1,
uploadedFiles.getFilesize().intValue());
if (b != null) {
response.reset();
String fileName = uploadedFiles.getFilename();
String header = "attachment; filename=\"" + fileName + "\"";
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
response.addHeader("Content-Transfer-Encoding", "Binary");
response.addHeader("Cache-Control", "must-revalidate, private");
response.setContentLength(b.length);
FileCopyUtils.copy(b, response.getOutputStream());
response.getOutputStream().flush();
response.getOutputStream().close();
}
我尝试过的:
String fileName = uploadedFiles.getFilename();
String regex = "[a-zA-Z._ ]*";
if (b != null && fileName.matches(regex)) {
response.reset();
// String fileName = uploadedFiles.getFilename();
String header = "attachment; filename=\"" + fileName + "\"";
String contentType = uploadedFiles.getFilecontenttype();
response.setContentType(uploadedFiles.getFilecontenttype());
response.addHeader("Content-Transfer-Encoding", "Binary");
response.addHeader("Cache-Control", "must-revalidate, private");
response.setHeader("Content-Disposition", header);
response.setContentLength(b.length);
FileCopyUtils.copy(b, response.getOutputStream());
response.getOutputStream().flush();
response.getOutputStream().close();
}
最佳答案
通过使用 RestTemplate 和使用 HttpHeader 作为授权 header ,下面的代码能够解决 header 操作问题。
import org.apache.commons.lang3.StringUtils;
RestTemplate restTemplate = new RestTemplate();
HttpHeaders headersNew = new HttpHeaders();
//Below 2 Line solve the problem
String sanitizedToken = StringUtils.normalizeSpace(yourJwtToken);
headersNew.setBearerAuth(sanitizedToken); //This line where fortify reporting issue earlier
String url ="Your url";
HttpEntity<MultiValueMap<String, String>> entity = new HttpEntity<>(null, headersNew);
ResponseEntity<Object> response =
restTemplate.exchange(url,
HttpMethod.GET,
entity,
Object.class);
关于java - HTTP 响应中 HP Fortify 的 header 操作问题 [java],我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38523430/