code-injection

i have a little trouble in Spring with two component of a service. I have this component: @Component public class SmartCardWrapper and this one: @Component public class DummySmartCardWrapper extends SmartCardWrapper The service autowire both but spring fails due this expection: org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [com.cinebot.smartcard.SmartCardWrapper] is defined: expected single matching bean but found 2: [dummySmartCardWrapper, smartCardWrapper] Why it doesn't use class names? That's one of the most basic concepts of Spring - Inversion of

I got the veracode report for my javaEE app. It had a flaw at any logging (using log4j), so I add the StringEscapeUtils.escapeJava(log) to all of them, but veracode keeps reporting them as security flaws. Is this a right solution? What else can I do? This is the report info: Title: Improper Output Neutralization for Logs Description: A function call could result in a log forging attack. Writing unsanitized user-supplied data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a

I am attempting to @Inject a @SessionScoped bean into a Filter @WebFilter("/*") public class IdentityFilter implements Filter, Serializable { @Inject private LoginUser loginUser; ... where LoginUser is @SessionScoped The intention is for loginUser to represent the logged in user for the session. The problem is it appears that I am not always getting the loginUser from the current session, I am getting 'leakage' between sessions as one session's LoginUser object is being shared with another session. Obviously this isn't good. I am wondering if this is because the Filter object is a singleton,

I'm new to IOC containers, and I'm getting started with NInject. What do you do if you want your constructor to have parameters that are not services and don't need to be instantiated by the IOC container? For example: public class Person { private readonly string _name; private readonly IPersonRepository _repository; public Person(string name, IPersonRepository repository) { _name = name; _repository = repository; } ...... } Imagine that name is a requirement of the Person class, so, to ensure that a Person always has a name, we require that it be passed in to the constructor. How would we

I didn't understand how work modular depending. I have 3 modules, they are dependent on each other, as shown in the picture. "App" module includes "module1" and "module2". "module2" includes "core" module. There are source on plunker. angular.module("core", []).factory("HelloWorld", function() { return function () { alert('Hello World!') } }); angular.module("module1", []).controller("main", function(HelloWorld){ HelloWorld(); }); angular.module("module2", ["core"]); angular.module("app", ["module1", "module2"]); If I inject service from module core to module "module1" it is work fine. But

I'm new to Autofac (3) and am using it to find a number of classes in several assemblies that implement IRecognizer. So I have: builder.RegisterAssemblyTypes(AppDomain.CurrentDomain.GetAssemblies()).As<IRecognizer>(); which is fine. But I'd like to inject references to the found components into a constructor - sort of: public Detector(List<IRecognizer> recognizers) { this.Recognizers = recognizers; } Is there any way to do this? nemesv Autofac supports the IEnumerable<T> as a relationship type: For example, when Autofac is injecting a constructor parameter of type IEnumerable<ITask> it will

is there a common pattern in Java to avoid mongoDB injection attacks? Thanks Use one of the supported drivers. Don't deserialize strings as JSON and pass them as queries, e.g. dont' do this (in Ruby): collection.send(query_type, JSON.parse(parameters)) where query_type and parameters are strings coming from a form. You would have to be criminally stupid to do this though. Since there's no query language as such there's not the same room for injection. Part of the reason that SQL injection attacks are possible is that the action to take ( SELECT , UPDATE , DELETE , etc.) is part of the query

Anyone familiar enough with the Cassandra engine (via PHP using phpcassa lib) to know offhand whether there's a corollary to the sql-injection attack vector? If so, has anyone taken a stab at establishing best practices to thwart them? If not, would anyone like to ; ) No. The Thrift layer used by phpcassa is an rpc framework, not based on string parsing. An update - Cassandra v0.8 introduced CQL , which might have brought with it the possibility of injection attacks. However: Prepared statements were then introduced in Cassandra v1.1.0, which help to prevent such attacks. Furthermore, see this