I have run check-mark security check on my project and got A2-Broken Authentication and Session Management warring for line "cstmt.execute();" I understand its showing me one of the vulnerability out of top 10 mentioned by owasp.
Need help to understand what is wrong with my code and how I can fix that.
public int editUser(UserBean userParams) throws CustomException{
String query = DbConstants.EDITUSER_PROC;
Connection con = null;
CallableStatement cstmt=null;
OracleConnection oracleConnection = null;
ARRAY arrayToPass =null;
int status = 0;
String cntrctId = null;
String keyAcc = null;
String roles = null;
String pnl = null;
if(!"Y".equals(userParams.getAllContrctFlag())){
cntrctId = Arrays.toString(userParams.getContractId().toArray()).replace("[", "").replace("]", "").trim();
keyAcc = Arrays.toString(userParams.getKeyAcName().toArray()).replace("[", "").replace("]", "").trim();
}
roles = Arrays.toString(userParams.getUserRole().toArray()).replace("[", "").replace("]", "").trim();
pnl = Arrays.toString(userParams.getDefaultPnl().toArray()).replace("[", "").replace("]", "").trim();
logger.debug("Edit User cntrctId,KeyAcc, roles : "+cntrctId+"\n"+keyAcc+"\n"+roles);
try {
con = jdbcTemplate.getDataSource().getConnection();
if(con.isWrapperFor(OracleConnection.class)){
oracleConnection =con.unwrap(OracleConnection.class);
ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",oracleConnection);
arrayToPass = new ARRAY(ad, oracleConnection, userParams.getWidgets().toArray());
}else{
ArrayDescriptor ad = ArrayDescriptor.createDescriptor("RELTK_WIDGET_USER_TYPE",con);
arrayToPass = new ARRAY(ad, con, userParams.getWidgets().toArray());
}
cstmt = con.prepareCall(query);
cstmt.setString(1, userParams.getSso());
cstmt.setString(2, roles);
cstmt.setString(3, userParams.getUserType());
cstmt.setString(4, keyAcc);
cstmt.setString(5, cntrctId);
cstmt.setString(6, userParams.getAdminSso());
cstmt.setString(7, pnl);
cstmt.setString(8, userParams.getAllContrctFlag());
cstmt.setObject(9, arrayToPass);
cstmt.execute();
status = 1;
}catch(Exception ex){
logger.error("Error while getting Edit User ---> "+ex.getMessage());
status = 0;
throw new CustomException(ex.getMessage());
}finally{
if(cstmt != null){
try {
cstmt.close();
} catch (SQLException se) {
logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
}
}
if(con != null){
try {
con.close();
} catch (SQLException se) {
logger.error("Error while getting Edit User(close connection) ---> "+se.getMessage());
}
}
}
return status;
}
Above method present at DAO layer and get called by another method present at service level which accept REST call and input as JSON convert JSON to Userbean object and pass as parameter to editUser
The Checkmarx tool found an access to a database without signs of user authorization.
If, in your case, the authorization process is done correctly (for example by using the roles parameter or the getAdminSso() method), you can probably mark this result as Not Exploitable.