无法修复Microservices体系结构中使用API网关模式时出现的veracode cwe id 918缺陷(SSRF)
我在一个Micro services体系结构中使用Micro services,在这个体系结构中,Front End Angular app为我的API Gateway项目创建了一个HTTP request,这是一个简单的ASP.net Core 3.1 Web API项目。目前我只有两个micro services和一个API Gateway,它们都是ASP.net Core 3.1 Web API项目的类型。API Gateway项目拥有我的micro services的所有控制器。API Gateway的目的仅仅是接收来自Front end的请求,并将HTTP Request发送到适当的Micro service。
现在,在我的AccountController.cs的API Gateway项目中,我有以下代码
/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
_uri = new Uri(uriString: $"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
using var result = await _client.GetAsync(_uri);
var content = await result.Content.ReadAsStringAsync();
return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
}在搜索了关于堆栈溢出的SSRF问题之后,我在Veracode群落上找到了以下建议。
Veracode静态分析将报告CWE 918的缺陷,如果它能够检测到来自应用程序外部的数据(例如来自用户的HTTP请求,但也可能是用户上传的文件、数据库数据、webservice数据等)能够更改网络请求的性质。
在堆栈过流上,我找到了以下修复程序
对于CWE ID 918,除非您有静态URL,否则很难让Veracode识别您的修复程序。您需要验证成为请求URL一部分的所有输入。
这意味着在将输入参数OrganizationId和AccountId附加到请求URL之前,必须对它们进行净化。
关于veracode群落的另一个问题是
Veracode静态分析作为修复此缺陷类别的唯一方法是将输入更改为硬编码
他们提出了一个查询字符串的解决方案。
给定的示例似乎采用了模型标识符,并将其放入内部请求中使用的URL中。我们建议根据您对此数据类型的规则验证ID (通常这应该是字母数字和小于255个字符),并在将其附加到URLencode之前对其进行验证。
在所有这些事情之后,我对我的代码做了以下更改
- 确保OrganizationId和AccountId Guid不是空的
- 对字符串进行编码的URL
以下是更改后的代码
/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
if (organizationId != Guid.Empty && accountId != Guid.Empty)
{
string url = HttpUtility.UrlEncode($"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
using var result = await _client.GetAsync(url);
var content = await result.Content.ReadAsStringAsync();
return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
}
return BadRequest();
}这是我所能做的,以净化我的输入参数OrganizationId和AccountId,但在所有这些更改之后,veracode仍然在线识别SSRF缺陷。
使用var结果=等待_client.GetAsync(url);
回答 1
Stack Overflow用户
发布于 2020-06-19 13:13:38
我找到了一个解决这个问题的黑客,我只是将查询字符串参数附加到httpClient的基本地址,veracode停止给我提供错误。
下面是解决方案的样子
/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
if (organizationId != Guid.Empty && accountId != Guid.Empty)
{
var httpClient = new HttpClient();
//Appended the parameters in base address to
//to fix veracode flaw issue
httpClient.BaseAddress = new Uri($"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
//passing empty string in GetStringAsync to make sure
//veracode doesn't treat it like modifying url
var content = await httpClient.GetStringAsync("");
return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
}
return BadRequest();
}https://stackoverflow.com/questions/62358911
复制相似问题
腾讯云开发者
