#CodeQL security alerts for springboot

1 messages · Page 1 of 1 (latest)

hearty veldt
#

Hi everyone, I was given a task to fix some security alerts with CodeQL and was having a bit of trouble. Would love if someone can help me resolve the alert without making major changes to the code that might break the servers.

Unsafe hostVerifier

HttpsURLConnection.setDefaultHostnameVerifier((hostname, sslSession) -> true)

From what I read the method is use to stop MITM attacks, however the code is only used to ensure that the code runs when all hostVerfiers are in use without being passed a hostname or sslSession. How can I change the code to remove the error and keep that functionality?

Cross-site scripting

public ResponseEnitity<String> tracker(@Requestparam String startDate, @RequestParam endDate){

return new ResponseEntity<>(trackingService.trackingData(startDate, endDate), HttpStatus.OK);
}

ResponseEnitity<String> response = restTemplate.exchange(actualRequest, String.class);
mockWebService.save(actualRequest, endpoint, response);
LOGGER.info("MockResourse.recorder({})->End", endpoint.toString());
return response

Seems like startDate, endDate, and response is giving the error. What the best way to sanitize the input to prevent XSS attacks.

ruby kettleBOT
#

<@&1004656351647117403> please have a look, thanks.

hearty veldt
#

CodeQL security alerts for springboot

hearty veldt
#

Hi, bumping this thread if anyone wants to take a look.

ruby kettleBOT
#

@hearty veldt

Your question has been closed due to inactivity.

If it was not resolved yet, feel free to just post a message below
to reopen it, or create a new thread.

Note that usually the reason for nobody calling back is that your
question may have been not well asked and hence no one felt confident
enough answering.

When you reopen the thread, try to use your time to improve the quality
of the question by elaborating, providing details, context, all relevant code
snippets, any errors you are getting, concrete examples and perhaps also some
screenshots. Share your attempt, explain the expected results and compare
them to the current results.

Also try to make the information easily accessible by sharing code
or assignment descriptions directly on Discord, not behind a link or
PDF-file; provide some guidance for long code snippets and ensure
the code is well formatted and has syntax highlighting. Kindly read through
https://stackoverflow.com/help/how-to-ask for more.

With enough info, someone knows the answer for sure 👍

hearty veldt
#

Hi, Still looking for help regarding this issue.

ruby kettleBOT
#

@hearty veldt

Your question has been closed due to inactivity.

If it was not resolved yet, feel free to just post a message below
to reopen it, or create a new thread.

Note that usually the reason for nobody calling back is that your
question may have been not well asked and hence no one felt confident
enough answering.

When you reopen the thread, try to use your time to improve the quality
of the question by elaborating, providing details, context, all relevant code
snippets, any errors you are getting, concrete examples and perhaps also some
screenshots. Share your attempt, explain the expected results and compare
them to the current results.

Also try to make the information easily accessible by sharing code
or assignment descriptions directly on Discord, not behind a link or
PDF-file; provide some guidance for long code snippets and ensure
the code is well formatted and has syntax highlighting. Kindly read through
https://stackoverflow.com/help/how-to-ask for more.

With enough info, someone knows the answer for sure 👍

hearty veldt
#

Hi, Still looking for help if possible.

tight bough
#

I am a bit confused, why do you need to disable ssl host verification?