我在一个Micro services
体系结构中使用Micro services
,在这个体系结构中,Front End Angular app
为我的API Gateway
项目创建了一个HTTP request
,这是一个简单的ASP.net Core 3.1 Web API
项目。目前我只有两个micro services
和一个API Gateway
,它们都是ASP.net Core 3.1 Web API
项目的类型。API Gateway
项目拥有我的micro services
的所有控制器。API Gateway
的目的仅仅是接收来自Front end
的请求,并将HTTP Request
发送到适当的Micro service
。
现在,在我的AccountController.cs
的API Gateway
项目中,我有以下代码
/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
_uri = new Uri(uriString: $"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
using var result = await _client.GetAsync(_uri);
var content = await result.Content.ReadAsStringAsync();
return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
}
在搜索了关于堆栈溢出的SSRF
问题之后,我在Veracode群落上找到了以下建议。
Veracode静态分析将报告CWE 918的缺陷,如果它能够检测到来自应用程序外部的数据(例如来自用户的HTTP请求,但也可能是用户上传的文件、数据库数据、webservice数据等)能够更改网络请求的性质。
在堆栈过流上,我找到了以下修复程序
对于CWE ID 918,除非您有静态URL,否则很难让Veracode识别您的修复程序。您需要验证成为请求URL一部分的所有输入。
这意味着在将输入参数OrganizationId
和AccountId
附加到请求URL之前,必须对它们进行净化。
关于veracode群落的另一个问题是
Veracode静态分析作为修复此缺陷类别的唯一方法是将输入更改为硬编码
他们提出了一个查询字符串的解决方案。
给定的示例似乎采用了模型标识符,并将其放入内部请求中使用的URL中。我们建议根据您对此数据类型的规则验证ID (通常这应该是字母数字和小于255个字符),并在将其附加到URLencode之前对其进行验证。
在所有这些事情之后,我对我的代码做了以下更改
以下是更改后的代码
/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
if (organizationId != Guid.Empty && accountId != Guid.Empty)
{
string url = HttpUtility.UrlEncode($"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
using var result = await _client.GetAsync(url);
var content = await result.Content.ReadAsStringAsync();
return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
}
return BadRequest();
}
这是我所能做的,以净化我的输入参数OrganizationId
和AccountId
,但在所有这些更改之后,veracode
仍然在线识别SSRF
缺陷。
使用var结果=等待_client.GetAsync(url);
发布于 2020-06-19 13:13:38
我找到了一个解决这个问题的黑客,我只是将查询字符串参数附加到httpClient的基本地址,veracode
停止给我提供错误。
下面是解决方案的样子
/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
if (organizationId != Guid.Empty && accountId != Guid.Empty)
{
var httpClient = new HttpClient();
//Appended the parameters in base address to
//to fix veracode flaw issue
httpClient.BaseAddress = new Uri($"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
//passing empty string in GetStringAsync to make sure
//veracode doesn't treat it like modifying url
var content = await httpClient.GetStringAsync("");
return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
}
return BadRequest();
}
https://stackoverflow.com/questions/62358911
复制相似问题