0

Our controller looks like this:

public ResponseEntity<ServiceResponse<List<String>>> getItemIdentifiers(
        @RequestParam(required = true) String category_,
        @RequestParam(required = true) String calendarYear_,
        @RequestParam(required = false) String season_,
        @RequestParam(required = false) Long supplierId,
        @RequestParam(required = false) String itemDescription_,
        @RequestHeader String tenantId
) {
    String category = HtmlUtils.htmlEscape(category_); // this I've done to avoid vulnerablity
    String calendarYear = HtmlUtils.htmlEscape(calendarYear_);
    String season = HtmlUtils.htmlEscape(season_);
    String itemDescription = HtmlUtils.htmlEscape(itemDescription_);
    List<String> quoteSearchResponseItem = btrcService.getItemIdentifiers(category, calendarYear, season, supplierId, itemDescription);
    ServiceResponse<List<String>> serviceResponse = ServiceResponseBuilder.get(quoteSearchResponseItem);
    return ResponseEntity.ok(serviceResponse);
}

But I'm still getting this exception on codegate:

The application sends a request to a remote server, for some resource, using exchange in src\main\java\com\walmart\sams\services\allocation\configuration\service\BTRCService.java:45. However, an attacker can control the target of the request, by sending a URL or other data in season_ at src\main\java\com\walmart\sams\services\allocation\configuration\controller\BTRCApiController.java:31.

Similarity ID: -1246383384

The application sends a request to a remote server, for some resource, using exchange in

src\main\java\com\walmart\sams\services\allocation\configuration\service\BTRCService.java:45. However, an attacker can control the target of the request, by sending a URL or other data in calendarYear_ at src\main\java\com\walmart\sams\services\allocation\configuration\controller\BTRCApiController.java:30.Similarity ID: 574151291 --> Query Name : SSRF

etc. for category_, calendarYear_, season_ and itemDescription_. Please suggest a fix for this. The service method in turn calls RestTemplate passing these values in param using Restempltate exchange method. Using Spring 3x. Java 17.

Improve this question
Related questions
3869
Why is char[] preferred over String for passwords?
1
HOw to fix checkmarx error for sanitizing payload
1
Checkmarx Postgres Query forming error SQL Injection error , SQL Second order injection error Java Springboot
Load 2 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.