veracode

问题 After performing Vera code scan on my code, a flaw was reported saying " Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting - CWE ID 113') on the below code. public void writeCookies() { for (final Cookie cookie : cookies) { super.addCookie(cookie); } The flaw code reported is super.addCookie(cookie). To fix this I added below code public void writeCookies() { for (final Cookie cookie : cookies) { cookie.setSecure(true); ESAPI.httpUtilities().addCookie((

问题 I read on some forums the myth that it is enough to pass the Veracode CWE 117 (Improper Output Neutralization for Logs) issue by doing something like this. Can somebody confirm if this is the case or not ? message.replaceAll("\r", "_").replaceAll("\n", "_"); From this topic How to fix Veracode CWE 117 (Improper Output Neutralization for Logs) , I understand that I need to do something like this ESAPI.encoder().encodeForHTML(message); 回答1: The message needs to be escaped for the context which

问题 I have a web form application and also an Web Api application hosted in different servers. For all CRUD operations the Web Form application uses the API. To call the API from web form app I have created a generic API requesting method using WebRequest Class. Things are working fine but when we scan the code using Veracode I am getting SSRF Server Side Request Forgery issue. I googled and some folks said to add validation to the request uri, I tried all the validations but Veracode is throwing

问题 We recently run VeraCode that points out on the following method: public XmlElement RunProcedureXmlElement(string Procedure, List<SqlParameter> Parameters) { DataSet ds = RunProcedureDataSet(Procedure, Parameters); XmlDocument xmlDoc = new XmlDocument(); StringBuilder strXML = new StringBuilder(); foreach (DataTable dt in ds.Tables) { foreach (DataRow dr in dt.Rows) { strXML.Append(dr[0]); // Do I still need .ToString()??? } } if (strXML.Length == 0) strXML.Append("<root total=\"0\"></root>")

问题 I have a CWE 117 issue reported in my Product. CWE 117 issue is that the software does not properly sanitize or incorrectly sanitizes output that is written to logs and one possible solution i got was to add the following while logging. String clean = args[1].replace('\n', '_').replace('\r', '_'); log.info(clean); My question is whether there is any central place in log4j where a single change can solve this issue? 回答1: It is the Layout that is responsible for serializing the log message, and

问题 I am using API Gateway Pattern in a Micro services architecture in which the Front End Angular app makes an HTTP request to my API Gateway project which is simply a ASP.net Core 3.1 Web API project. Currently I only have 2 micro services and an API Gateway and all of them are of type ASP.net Core 3.1 Web API project. The API Gateway project has all the controllers of my micro services . The purpose of the API Gateway is just to receive the request from Front end and make an HTTP Request to

来源： https://stackoverflow.com/questions/31258393/veracode-insecure-temporary-file-error-when-using-java-io-file-createtempfile

来源： https://stackoverflow.com/questions/31258393/veracode-insecure-temporary-file-error-when-using-java-io-file-createtempfile

来源： https://stackoverflow.com/questions/31258393/veracode-insecure-temporary-file-error-when-using-java-io-file-createtempfile

问题 Long story short, no matter what I try VeraCode continues to flag 8 lines of my code as flaws with CWE 918. This is old code so I'm not sure why it's suddenly being flagged. Here's an example [offending] method with the flagged line in bold public virtual async Task<HttpResponseMessage> Put(string controller = "", Dictionary<string, object> parameters = null, object body = null) { if (string.IsNullOrWhiteSpace(ApiBaseUrl)) return null; HttpResponseMessage response = null; using (var client =