我有以下代码,并且在 copyMessages() 处遇到资源注入(inject)问题。
我不知道如何解决这个问题?
Abstract: Attackers are able to control the resource identifier argument to copyMessages() at MailboxProcessorServiceImpl.java line 77, which could enable them to access or modify otherwise protected system resources.
FileName:
LineNo: 77
Sink: javax.mail.Folder.copyMessages()
Folder inboxFolder = mailUtil.openFolder(store, "INBOX");
Folder processedFolder = mailUtil.openFolder(store, "Processed");
try {
Flags flaggedFlags = new Flags(Flags.Flag.FLAGGED);
Flags deletedFlags = new Flags(Flags.Flag.DELETED);
Message[] msgs = inboxFolder.search(new FlagTerm(flaggedFlags, false));
log.info("# of new Emails received: " + Integer.toString(msgs.length));
if (msgs.length > 0) {
for (Message msg : msgs) {
log.info(msg.getSubject());
Map<String, InputStream> mis = getAttachments(msg);
if (!CollectionUtils.isEmpty(mis))
saveAndProcessAttachment(mis, msg);
Message[] processedMsgs = { msg };
if (processedMsgs.length > 0) {
inboxFolder.copyMessages(processedMsgs, processedFolder);
}
msg.setFlags(deletedFlags, true);
}
}
inboxFolder.close(true);
processedFolder.close();
最佳答案
我认为由于参数“存储”而报告了资源注入(inject)问题。它将确定您的处理后的消息将被存储的资源位置。而且似乎这个参数取自不可信的来源。也许来自请求参数?
所以想象一下有人给你“../../somewere”之类的“商店”参数。用户可以使用任何其他客户端来执行此操作,而不仅仅是您永远不会允许的前端应用程序。
通常,您应该从受信任的来源获取位置,或者清理输入参数并告诉扫描工具您已对其进行清理。例如只允许字母数字字符。
这有帮助吗?
关于java - 强化 : Resource Injection,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/61141966/