Home/ Questions/Q 8158433
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T17:35:48+00:00

I am fixing issues against the code audit report for my module. The issue

  • 0

I am fixing issues against the code audit report for my module. The issue is XSS VULNERABILITIES.
It has reported issue at the syntax
response.getOutputStream().write(buffer);
How to fix it ?
I have done sufficient home work and found that ESAPI recommended by OWASP can help me to fix it, but how to implement it ? The issue is in a servlet class ?
or any other api or anything else could help me to fix it?
please share you relevant experience. 

FileOutputStream fos = null;
        FileInputStream fileInuptStream =null;
        BufferedInputStream bufferedInputStream = null;
        ByteArrayOutputStream byteArrayOutputStream =null;
        try{
           ServletContext servletContext = request.getSession().getServletContext();
            File attachmentDir = new File(servletContext.getRealPath("")+File.separator+"Reports" );
            String uploadDir=attachmentDir.getPath();
            if (!attachmentDir.exists()) {
                attachmentDir.mkdirs();
            }

            HSSFWorkbook wb= new HSSFWorkbook();
             AAAA  aaa=new AAAA();          
            wb=aaa.getExportXLS(request, response, fileName, wb);
             if(request.getSession().getAttribute("SESSION_AAAAA")!=null){
                    request.getSession().removeAttribute("SESSION_AAAAA");
            }           
              fos=new FileOutputStream(uploadDir+File.separator+fileName);
            wb.write(fos);

            File fileXls=new File(uploadDir+File.separator+fileName);
              fileInuptStream = new FileInputStream(fileXls);
              bufferedInputStream = new BufferedInputStream(fileInuptStream);
              byteArrayOutputStream = new ByteArrayOutputStream();
            int start = INT_ZERO;
            int length = ONE_ZERO_TWO_FOUR;
            int offset = MINUS_ONE;
            byte [] buffer = new byte [length];
            while ((offset = bufferedInputStream.read(buffer, start, length)) != -1)
                byteArrayOutputStream.write(buffer, start, offset);


            buffer = byteArrayOutputStream.toByteArray();

            response.setHeader("Expires", "0");
            response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
            response.setHeader("Pragma", "public");
            response.setContentType("application/xls");
            response.setHeader("Content-disposition","attachment; filename="+fileName );
            response.setContentLength((int ) fileXls.length());
            response.getOutputStream().write(buffer);  --- REPORTED AT THIS LINE
            response.getOutputStream().flush();
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Need to validate the input and output as request is directly taken as input in the method. use ESAPI to validate the buffer field using getValidatedFileContent() from ESAPI. validate the fileName field for the fileName Injection attack. Also any filed that is taken as output from the method having request as input should be validated strictly.

    • 0