I am fixing code against the code audit report. It says "PREVENT EXPOSURE OF SENSITIVE DATA" against the line having the syntax response.getWriter().write(xml.toString())
. The whole code is below.
String alertId = request.getParameter("alertId") != null ? request.getParameter("alertId") : "";
String desc=AAAA.getBBBB(Long.parseLong(AAAA.getCCCC(alertId)));
StringBuffer xml = new StringBuffer();
xml.append("<?xml version=\"1.0\"?>");
xml.append("<parent>");
xml.append("<child>");
xml.append("<alertDesc>");
xml.append(desc);
xml.append("</alertDesc>");
xml.append("</child>");
xml.append("</parent>");
response.getWriter().write(xml.toString()); // ISSUE IN THIS LINE
response.setContentType("text/xml");
response.setHeader("Cache-Control", "no-cache");
I have done sufficient home work and can fix it for the XSS attack and used ESAPI for the same. But dont know how to fix this one. Please give suggestions The report has the below message against the reported issue. "Leakage of toString() result ("xml") via web page"
after the day long r&d i found that the sax parser can help me in this case. it is actually a memory leakage at the StringBuffer.toString() syntax, due to which sensitive data is getting exposed and lost. but i dont know how to implement that. also at some place i found the use of StringBuilder() class instead of StringBuffer() class. Can anybody help me or give their valuable suggestions. Thanks in advance.
Also I have the same issue for another type of the code. it is below.
StringBuffer content = (StringBuffer)file.get("content");
response.setContentLength((int)content.length());
response.getWriter().write(content.toString());
Again i dont know how to fix this one. THE issue is same leakage of sensitive data been reported by the tool.
As I have told in my comment, I do not thing that the comment has something to do with the code itself but with the exposure of sensitive data. I have read the PCI-DSS document and I don't remember it says anything about how something it should be coded (regardless good practices). You can take a look to all PCI documentation available by yourself. It is a hard task, a better approach would be to try to find out what the consultant meant.
It is really difficult to fix something when you don't know where the problem is.
The content.toString() needs to be properly validated. use ESAPI to validate it strictly. writing directly to response is really vulnerable and if if the data is output from a method having request as input then its twice vulnerable. major security issue.