IBM / ibm-cos-sdk-java

ibm-cos-sdk-java

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SAST : Validation.Required.URL

roryodonnell opened this issue · comments

Trying to resolve an AppScan HIGH issue. I'm aware that this would have to be fixed in the upstream AWS repo. But perhaps, someone more familiar with the library could recommend a solution, something like setting a default local proxy or something.

org.apache.http.client.HttpClient.execute(HttpUriRequest;HttpContext):HttpResponse com.ibm.cloud.objectstorage.http.AmazonHttpClient:1297

com.ibm.cloud.objectstorage.ClientConfiguration.getProxyDomain():String via com.ibm.cloud.objectstorage.http.settings.HttpClientSettings:164
org.apache.http.client.HttpClient.execute(HttpUriRequest;HttpContext):HttpResponse via com.ibm.cloud.objectstorage.http.AmazonHttpClient:1297 

image

What is the scanner's proposed solution? My guess is this is flagged because no verification is done on this string before it is given to the HTTP library. According to the code, this value is only used in certain configurations where an NTLM proxy is being used.

Thanks for t he reply Eric. See below, the "How to fix" details

image

Thanks. The SDK is more like the "legitimate user" described above in that it uses this URL to do its work and inherently must trust the value passed to it. It has no other way to know or validate the network topology. If the application developer receives proxy URLs from an untrusted source, the application would need to follow the above guidance before putting that data in the SDK's proxy configuration.

Agreed, yes Eric - thank you