Checkmarx问题:堆检查
Checkmarx问题:堆检查
提问于 2022-11-17 13:52:23
Checkmarx投诉“方法changePassword定义了oldPassword,该方法被指定为包含用户密码。然而,虽然明文密码后来分配给了oldPassword,但这个变量从未从内存中清除。这是假阳性吗?
@PutMapping(path = "/changepassword", produces = APPLICATION_JSON_VALUE)
public ResponseEntity<String> changePassword(@RequestBody UserUpdate user, HttpServletRequest request, HttpServletResponse response) {
String uid= user.getId();
String oldPassword = user.getOldPwrd();
String newPassword = user.getPwrd();
userDetails.changeUserPassword(uid, oldPassword, newPassword);
return ResponseEntity.ok(SUCCESS);
}回答 1
Stack Overflow用户
发布于 2022-11-26 20:21:59
不将密码存储在不可变的字符串中并使用加密的内存对象(如SealedObject )是一种最佳的安全实践。此专门类可以将加密数据存储在内存中,并有助于确保不易从内存中检索数据。
@PutMapping(path = "/changepassword", produces = APPLICATION_JSON_VALUE)
public ResponseEntity<String> changePassword(@RequestBody UserUpdate user, HttpServletRequest request, HttpServletResponse response) {
String uid= user.getId();
SealedObject oldPassword = user.getOldPwrd();
SealedObject newPassword = user.getPwrd();
userDetails.changeUserPassword(uid, oldPassword, newPassword);
return ResponseEntity.ok(SUCCESS);
}您必须更改changeUserPassword方法以处理SealedObject,这涉及定义用于加密的密码和密钥:
Key key = getKeyFromConfiguration();
Cipher c = Cipher.getInstance(CIPHER_NAME);
c.init(Cipher.ENCRYPT_MODE, key);
List<Character> characterList = Arrays.asList(input);
password = new SealedObject((Serializable) characterList, c);
Arrays.fill(input, '\0');页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/74476643
复制相关文章
相似问题
腾讯云开发者
