I ran appScan on my application. I can see most of the Validation.Required issues for String objects. But, not sure what validation the appscan is expecting here. we have tried with null and empty check still there is no use. Please any one let me know what validation appscan expects on a string object.
String tableName = this.request.getParameter(TABLE_NAME);
session.setAttribute(tableName + "_" + parentTableName + "_editColumnMap", editableColumnsMap);
Please let me know if you need any more information
The major goal of mitigating Validatoin.required finding is to validate against malicious input. Check in your code if any variable can be set to a value that can be controlled by a malicious user. Any input taking from outside of your system should be validated or sanitized using white-listing: https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#White_List_Input_Validation
Related
I'm using Spring Boot 2.4.6. For delete APIs getting 405 method not found. My endpoint is like: beauty/v1/sites/addressTemplates/:templateId
Path variable: ##$%#
Can someone please suggest what can be done to make this behavior as not complaining for 405? Please direct me to other questions in case I'm missing something.
I guess that your issue has nothing to do with Spring. Maybe you are trying to compose the whole URL by using reserved characters.
In a URL, a hash mark, number sign, or pound sign ( # ) points a browser to a specific spot in a page or website. It is used to separate the URI of an object from a fragment identifier. Source.
Which means that an URL which looks like:
beauty/v1/sites/addressTemplates/##$%#
is not exactly what you imagine it to be because # is interpreted in a special way. What you have to do is to percent encode the "special" path variable so it will look like this at the end:
beauty/v1/sites/addressTemplates/%23%40%24%25%23
Then Spring will not complain anymore and will resolve properly the endpoint.
Original Question: https://github.com/howtographql/graphql-java/issues/4
AuthContext context = env.getContext();
Link newLink = new Link(url, description, context.getUser().getId());
I do not get null on context variable, but I get a null on context.getUser()
code:https://github.com/howtographql/graphql-java/blob/master/src/main/java/com/howtographql/hackernews/Mutation.java
or my code:
https://github.com/JonathanSum/myOwnJavaGraphqlStarterKit/blob/master/src/main/java/com/howtographql/hackernews/Mutation.java
I'm the author of that tutorial, which is now unfortunately very outdated... I'm working on rewriting it in pure graphql-java (without graphql-java-tools), and this is what I'd recommend you try as well.
For the time being, your issue is very likely either because the browser doesn't send the user ID (in the Authorization header) at all or, if it does, it doesn't match the ID in Mongo.
Put a break point in createContext method in GraphQLEndpoint and inspect what happens.
The tutorial explains the code you need to add to the client to start sending the Authorization header, so make sure you followed that. otherwise, just make sure the ID it sends matches what you have in Mongo.
I have the following REGEX that I'm serving up to java via an xml file.
[a-zA-Z -\(\) \-]+
This regex is used to validate server side and client side (via javascript) and works pretty well at allowing only alphabetic content and a few other characters...
My problem is that it will also allow zero lenth strings / empty through.
Does anyone have a simple and yet elegant solution to this?
I already tried...
[a-zA-Z -\(\) \-]{1,}+
but that didn;t seem to work.
Cheers!
UPDATE FOLLOWING INVESTIGATION
It appears the code I provided does in fact work...
String inputStr = " ";
String pattern = "[a-zA-Z -\\(\\) \\-]+";
boolean patternMatched = java.util.regex.Pattern.matches(pattern, inputStr);
if ( patternMatched ){
out.println("Pattern MATCHED");
}else{
out.println("NOT MATCHED");
}
After looking at this more closely I think the problem may well be within the logic of some of my java bean coding... It appears the regex is dropped out at the point where the string parse should take place, thereby allowing empty strings to be submitted... And also any other string... EEJIT that I am...
Cheers for the help in peer reviewing my initial stupid though....!
Have you tried this:
[a-zA-Z -\(\) \-]+
I got an XLS pic inside of an HTML link, and i need to verify some information first before calling to the servlet, that's why i'm not including the servlet inside of the href="". So i've created a javascript function that verifies the input information in order to be used by the servlet.
(The Servlet returns a XLS in order to be saved by the user).
Tried this:
document.location.href = 'saveExcelServlet.do?' + <<GET method attributes>>;
But it didn't work.
It says:
Problem accessing /wscall-metrics-web/saveExcelServlet.do. Reason:
null
Caused by:
java.lang.NumberFormatException: null
If i write it works...
Can anyone help me?
Thanks.
M.
There's a good chance the URL isn't quite built the way you expect. A great poorman's technique for debugging this kind of thing is to assign a variable and pop it up in an alert:
var newLoc = 'saveExcelServlet.do?' + <<GET method attributes>>;
alert(newLoc);
You can see exactly what URL is getting fetched.
am using this connection string to connect to mysql from java:
jdbc:mysql://localhost:3306/db?noDatetimeStringSync=true&useUnicode=yes&characterEncoding=UTF-8
is it possible to set the session variable in the string so that SET UNIQUE_CHECKS=0; would be executed upon connecting to server? the obvious
jdbc:mysql://localhost:3306/db?noDatetimeStringSync=true&useUnicode=yes&characterEncoding=UTF-8&unique_checks=0
doesn't seem to work, based on the fact that
'jdbc:mysql://localhost:3306/db?noDatetimeStringSync=true&useUnicode=yes&characterEncoding=UTF-8&unique_checks=blahblah`
doesn't generate any error.
Cheers!
How about using sessionVariables:
jdbc:mysql://localhost:3306/db?noDatetimeStringSync=true&useUnicode=yes&characterEncoding=UTF-8&sessionVariables=unique_checks=0
Your question is thus more "How do I concat Strings in Java?" ?
If so, then just use the + operator:
int uniqueChecks = 0; // Assign session variable here.
String url = "jdbc:mysql://localhost:3306/db?unique_checks=" + uniqueChecks;
Alternatively you can also use String#format() wherein you can use the %d pattern to represent a decimal:
int uniqueChecks = 0; // Assign session variable here.
String url = String.format("jdbc:mysql://localhost:3306/db?unique_checks=%d", uniqueChecks);
You can use Statement.execute() to run pretty much every statement the DB understands, including such a SET-statement.
The advantage of using an URL parameter or a dedicated method is that the JDBC-driver is actually aware that the option was set and can react accordingly. This may or may not be useful or necessary for this particular option, but it's vital for other options (for example toggling autocommit with such a statement is a very bad idea).
BalusC, thanks for a reply! actually I need to do that in Talend etl tool(which itself is a java code generator) and the only line i can edit is the "jdbc:mysql://localhost:3306/db?noDatetimeStringSync=true&useUnicode=yes&characterEncoding=UTF-8" string, which gets translated to this java code:
String url_tMysqlBulkExec_1 = "jdbc:mysql://"
+ "localhost" +
":"
+ "3306"
+ "/"
+ "db"
+ "?"
+ "noDatetimeStringSync=true&useUnicode=yes&characterEncoding=UTF-8&unique_checks=0";
that's the limitation, sorry for not pointing that out earlier.
According to mysql docs, there is no possibility to set the unique_checks setting, i guess i need to look for other solution than URL parameters (Joachim, thanks for reminding me that these things are called "URL parameters" - help a lot while googling :)