Home > other >  CEW 73 Veracode - How to fix flaws of the type CWE 73 External Control of File Name or Path with the
CEW 73 Veracode - How to fix flaws of the type CWE 73 External Control of File Name or Path with the

Time:09-17

I am retrieving Query String from the HttpServletRquest (in Java).

String QueryParameters = httpServletRequest.getQueryString();

Veracode consider this as a flaw,

I tried to validate this query string with Recommended OWASP ESAPI Validator methods, but none of them is working and the scan still identifies it as a flaw.

example :

String QueryParameters = ESAPI.validator().getValidInput("Page",httpServletRequest.getQueryString(),"QueryStringRegEx",false);

QueryStringRegEx is the Regular Expression against which QueryString is getting validated

CodePudding user response:

I don't know this for a 100% fact, but I think that Veracode (as well as other SAST engines) only remove an XSS taint flag for the ESAPI Encoders but not for the ESAPI Validators. Given the limited scope and context here, I cannot tell whether or not it is safe. (It largely depends on your regex and ether this can be combined with other tainted user input that is being checked elsewhere.)

If you feel it is correct, discuss it with your security team and/or challenge it as a false positive.

  • Related