zoukankan      html  css  js  c++  java
  • 关于SonarCloud检查到了Vulnerability

    关于SonarCloud检查到了Vulnerability

    Server-side requests should not be vulnerable to forging attacks

    User supplied(提供) data, such as URL parameters, POST data payloads(荷载), or cookies, should always be considered untrusted and tainted(受污染的). Performing(履行的) requests from user-controlled data could allow attackers to make arbitrary(任意的) requests on the internal network or to change their original meaning and thus(因此) to retrieve(找回) or delete sensitive information.

    The problem could be mitigated(减轻) in any of the following ways:

    • Validate the user provided data, such as the URL and headers, used to construct the request.
    • Redesign the application to not send requests based on user provided data.

    Noncompliant Code Example

    const request = require('request');
    
    function ssrf(req, res) {
      const url = req.query.url;
    
      request(url, callback); // Noncompliant
    }
    

    Compliant(应允的) Solution

    Validate the url with an allowlist:

    const request = require('request'); 
    
    function ssrf(req, res) {
      const url = req.query.url;
    
      if(url.startsWith("https://www.trustedwebsite.com/route/?query=")) {
        request(url, callback); // Compliant
      }
    }
    

    今天回过头来编辑这个错误,因为没有解决,所以我是在后端把restful Api形式改掉了. 什么是restful api呢? http://www.ruanyifeng.com/blog/2014/05/restful_api.html
  • 相关阅读:
    卓京---java基础2
    GuessFist
    猜拳 GuessFist
    GuessNum
    GuessNumber
    JetBrains全系列软件激活教程激活码以及JetBrains系列软件汉化包
    两个class 之间要空两行
    ImageField 字段的使用
    max_length 属性
    null,blank,default
  • 原文地址:https://www.cnblogs.com/hujesse4/p/15533412.html
Copyright © 2011-2022 走看看