CODEWITHSUNDEEP
javasecuritybluemix-app-scan
Siddhu
Siddhu

Reputation: 1

Appscan Validation.Required issue in java

I ran appScan on my application. I can see most of the Validation.Required issues for String objects. But, not sure what validation the appscan is expecting here. we have tried with null and empty check still there is no use. Please any one let me know what validation appscan expects on a string object.

    String tableName = this.request.getParameter(TABLE_NAME);

session.setAttribute(tableName + "_" + parentTableName + "_editColumnMap", editableColumnsMap);

Please let me know if you need any more information

Upvotes: 0

Views: 4304

Answers (2)

VGR
VGR

Reputation: 44318

“Validation.Required” means you are using a value supplied by an end user, which is not under the control of your own application. A malicious end user could supply a huge value that your program would then store, causing memory and performance issues.

The solution is simply to limit the length to something reasonable:

String tableName = this.request.getParameter(TABLE_NAME);

// There is no valid reason for a table name to be
// larger than 200 characters.
if (tableName.length() > 200) {
    throw new RuntimeException(
        "Request parameter '" + TABLE_NAME + "' is too long.");
}

Upvotes: 0

S.Wang
S.Wang

Reputation: 9

The major goal of mitigating Validatoin.required finding is to validate against malicious input. Check in your code if any variable can be set to a value that can be controlled by a malicious user. Any input taking from outside of your system should be validated or sanitized using white-listing: https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#White_List_Input_Validation

Upvotes: 0

Related Questions