此代码:
InternetAddress[] myAdrs = getAdrs(message.getToAddresses());
for (int i = 0; i < myAdrs.length; i++) {
String s = myAdrs[i].getAddress();
s = s.replace("r","").replace("n","").replace("%0A","").replace("%0a","").replace("%0D","").replace("%0d","");
InternetAddress adr = new InternetAddress( s, false );
// --> Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE ID 93)
lMessage.addRecipient(Message.RecipientType.TO, adr);
}
仍然给我CWE ID 93,尽管我删除了s = s. replace的S = S.replace的任何不需要的字符串( r ....在示例中,我找到了一个网络,s = replace应该是解决方案,但我仍然有这个缺陷吗?我想念什么?任何提示都将不胜感激!
我面对这种情况时,当VeraCode不接受手工解决方案(例如使用字符串capeutils和简单替换方法)时。尝试ESAPI库。Veracode通常接受ESAPI作为击败漏洞的信任工具。例如:
//need to handle ValidationException
String s = ESAPI.validator().getValidInput("User Email", myAdrs[i].getAddress(), "Email", 255, true);
InternetAddress adr = new InternetAddress( s, false );
并将Regex测试您的电子邮件中验证。Properties(或您在ESAPI.properties文件中指定为Validator.ConfigurationFile=validation.properties中指定的其他文件)文件为Validation.Email属性。例如:
Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\.[a-zA-Z]{2,6}$