Skip to content
Snippets Groups Projects
Commit 771a1889 authored by bhill6@wisc.edu's avatar bhill6@wisc.edu
Browse files

fix for CWE-93 issue in sample code raised by SAST

parent 79eec30f
No related branches found
No related tags found
1 merge request!36Dependency updates to eliminate vulnerabilities discovered by dependency-check
Pipeline #137714 passed with warnings
Stage: test
Hide whitespace changes
Inline Side-by-side
uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
+ 4
0
View file @ 771a1889
...@@ -96,6 +96,10 @@ public class DemonstrationOnlyPreAuthenticationConfiguration { ...@@ -96,6 +96,10 @@ public class DemonstrationOnlyPreAuthenticationConfiguration {
HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletRequest httpRequest = (HttpServletRequest) request;
String uri = httpRequest.getRequestURI(); String uri = httpRequest.getRequestURI();
String param = httpRequest.getParameter("_ignorepreauth"); String param = httpRequest.getParameter("_ignorepreauth");
// remove CRLF to avoid CWE-93
uri = (uri!=null) ? uri.replaceAll("([\\r\\n])", " ") : null;
param = (param!=null) ? param.replace("([\\r\\n])","") : null;
logger.debug("uri={}, param={}", uri, param); logger.debug("uri={}, param={}", uri, param);
if(null != param || IGNORED.contains(uri)) { if(null != param || IGNORED.contains(uri)) {
logger.info("skipping PreAuthenticationSimulationServletFilter, either due to '_ignorepreauth' or visiting ignore uri"); logger.info("skipping PreAuthenticationSimulationServletFilter, either due to '_ignorepreauth' or visiting ignore uri");
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment