Hi,
We're running a scan of our code in a commercial security static code
analysis tool and it is flagging pretty much nearly every usage of JAX-RS
input
parameters as a High Severity security issue.
For example, a typical JAX-RS method like this:
@GET
@Path("/{id}")
public SomeEntity getOne(@Context RequestContext ctx, @PathParam("id") String
id) {
return dao.findExistingById(ctx, id);
}
gets flagged with errors such as:
Method getOne() at line 51 of SomeEntityResource.java gets user input for the
id element.
This element’s value then flows through the code without being properly
sanitized or validated and is eventually displayed to the user in method
getOne() at line 51 of SomeEntityResource.java. This may enable a
Cross-Site-Scripting
So I my question is whether Dropwizard automatically sanitizes PathParam
FormParam, CookieParam, etc against XSS attacks?
*Or do we need to do it in every JAX-RS method manually and sanitize every
argument ourselves?*
Thanks
Jacek
--
You received this message because you are subscribed to the Google Groups
"dropwizard-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
