I am trying to fix security issues, which is given by checkmarx scan. In type, "trust boundary violation". i have tried multiple solutions, but none seems working.
I have tried validation check, which is provided by most other solutions and also tried cannonicalization. but it is still not working.
public static String sanitize(String inputString) {
if (!inputString.matches("[-0-9a-zA-Z_]+")) {
return null;
}
return ESAPI.encoder().canonicalize(inputString.replace("/", "").replace("..", ""), false, false);
}
Issue shown by Checkmarx: This element’s value flows through the code without being properly sanitized or validated and is eventually stored in the server-side Session object. (Trust boundary violation)
This is a wellknow "bugs" for this Checkmarx Query; The Trust Boundary violation (CWE-501). The problem could be is you will store the data in the session with sanitized and no sanitized object. As I see you're code, you seems to do some sanitization. I think this is your right whitelist.
If you do this(sanitization), you should consider it as a "False Positive" . I know Checkmarx working on it after reporting some of them. This should be better in next Checkmarx releases