I am fixing code against the code audit report. It says “PREVENT EXPOSURE OF SENSITIVE DATA” against the line having the syntax response.getWriter().write(xml.toString()). The whole code is below.
String alertId = request.getParameter("alertId") != null ? request.getParameter("alertId") : "";
String desc=AAAA.getBBBB(Long.parseLong(AAAA.getCCCC(alertId)));
StringBuffer xml = new StringBuffer();
xml.append("<?xml version=\"1.0\"?>");
xml.append("<parent>");
xml.append("<child>");
xml.append("<alertDesc>");
xml.append(desc);
xml.append("</alertDesc>");
xml.append("</child>");
xml.append("</parent>");
response.getWriter().write(xml.toString()); // ISSUE IN THIS LINE
response.setContentType("text/xml");
response.setHeader("Cache-Control", "no-cache");
I have done sufficient home work and can fix it for the XSS attack and used ESAPI for the same. But dont know how to fix this one. Please give suggestions
The report has the below message against the reported issue.
“Leakage of toString() result (“xml”) via web page”
after the day long r&d i found that the sax parser can help me in this case. it is actually a memory leakage at the StringBuffer.toString() syntax, due to which sensitive data is getting exposed and lost. but i dont know how to implement that. also at some place i found the use of StringBuilder() class instead of StringBuffer() class. Can anybody help me or give their valuable suggestions.
Thanks in advance.
Also I have the same issue for another type of the code. it is below.
StringBuffer content = (StringBuffer)file.get("content");
response.setContentLength((int)content.length());
response.getWriter().write(content.toString());
Again i dont know how to fix this one. THE issue is same leakage of sensitive data been reported by the tool.
The content.toString() needs to be properly validated. use ESAPI to validate it strictly. writing directly to response is really vulnerable and if if the data is output from a method having request as input then its twice vulnerable. major security issue.