admin管理员组

文章数量:1305421

I have a Java method flagged by Fortify as an "Access Control: Database" issue. The flagged method (fetchAllRecords) queries a database using JPA's findAll with paging and sorting, and it does not handle sensitive or user-specific data. However, Fortify reports that it lacks proper access control, making it susceptible to unauthorized database access.

Here’s the method code similar to my implementation:

@Transactional
public List<RecordEntity> fetchAllRecords(Specification<RecordEntity> spec, QueryRequest request) {
    validateRequest(request);

    int pageSize = Math.min(request.getPageSize(), 250); // Limit max page size (Fortify recommendation)
    int pageNumber = Math.max(request.getPageNum() - 1, 0);
    Sort sort = Sort.by(Sort.Direction.ASC, request.getSortingBy().toArray(new String[0]));
    PageRequest pageReq = PageRequest.of(pageNumber, pageSize, sort);

    log.info("Querying records with sorting: {}, page size: {}, page number: {}", 
             request.getSortingBy(), pageSize, pageNumber);

    return recordRepository.findAll(spec, pageReq).getContent();
}

private static void validateRequest(QueryRequest request) {
    if (request == null) {
        throw new InvalidRequestException("Request cannot be null");
    }
    if (request.getSortingBy() == null || request.getSortingBy().isEmpty()) {
        throw new InvalidRequestException("Sorting parameters cannot be null or empty");
    }
    if (request.getPageSize() <= 0 || request.getPageSize() > 250) {
        throw new InvalidRequestException("Invalid page size: " + request.getPageSize());
    }
    if (request.getPageNum() < 0) {
        throw new InvalidRequestException("Page number cannot be negative");
    }
}

It complains on this line return recordRepository.findAll(spec, pageReq).getContent();

The fortify issue says : "Without proper access control, the method fetchAllRecords in DefaultRecordPersistentServiceAdapter.java can execute a SQL statement that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records. "

本文标签: javaHow to fix Fortify quotAccess Control Databasequot false positive for a query methodStack Overflow

版权声明:本文标题:java - How to fix Fortify &quot;Access Control: Database&quot; false positive for a query method? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741806943a2398559.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。