java Checkmarx问题:堆检查

fhity93d  于 2022-11-27  发布在  Java
关注(0)|答案(1)|浏览(217)

Checkmarx抱怨“方法changePassword定义了oldPassword,它被指定包含用户密码。然而,当明文密码后来被分配给oldPassword时,这个变量从未从内存中清除。这是一个误报吗?”

@PutMapping(path = "/changepassword", produces = APPLICATION_JSON_VALUE)
public ResponseEntity<String> changePassword(@RequestBody UserUpdate user, HttpServletRequest request, HttpServletResponse response)  {
    String uid= user.getId();
    String oldPassword = user.getOldPwrd();
    String newPassword = user.getPwrd();
    userDetails.changeUserPassword(uid, oldPassword, newPassword);
    return ResponseEntity.ok(SUCCESS);
}
zpjtge22

zpjtge221#

最佳安全做法是不要将密码存储在不可变的字符串中,而使用加密的内存对象(如SealedObject)。此专用类可以将加密的数据存储在内存中,并帮助确保无法从内存中轻松检索这些数据。

@PutMapping(path = "/changepassword", produces = APPLICATION_JSON_VALUE)
public ResponseEntity<String> changePassword(@RequestBody UserUpdate user, HttpServletRequest request, HttpServletResponse response)  {
    String uid= user.getId();
    SealedObject oldPassword = user.getOldPwrd();
    SealedObject newPassword = user.getPwrd();
    userDetails.changeUserPassword(uid, oldPassword, newPassword);
    return ResponseEntity.ok(SUCCESS);
}

您必须更改changeUserPassword方法以处理SealedObject,这涉及到定义加密密码和密钥:

Key key = getKeyFromConfiguration();
Cipher c = Cipher.getInstance(CIPHER_NAME);
c.init(Cipher.ENCRYPT_MODE, key);
List<Character> characterList = Arrays.asList(input);
password = new SealedObject((Serializable) characterList, c);
Arrays.fill(input, '\0');

相关问题