我有一段像这样的 APEX 代码:
MyType mdt = [
SELECT Token_Endpoint__c
FROM Google_OAuth2__mdt
LIMIT 1
];
String tokenEndpoint = mdt.Token_Endpoint__c;
HttpRequest req = new HttpRequest();
req.setEndpoint(tokenEndpoint);
Snyk 代码测试将
req.setEndpointUnsanitized input from a SOQL statement flows into setendpoint, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
✗ [High] Server-Side Request Forgery (SSRF)
我尝试创建一个allowList集,如果找不到URL则抛出异常。
String tokenEndpoint = mdt.Token_Endpoint__c;
Set<String> allowList = new Set<String>{'https://foo/...'}
if (!allowList.contains('https://foo/...')) {
throw new IllegalArgumentException('uh oh')
}
HttpRequest req = new HttpRequest();
req.setEndpoint(tokenEndpoint);
还可以尝试在地图中查找 URL
String tokenEndpoint = mdt.Token_Endpoint__c;
Map<String, String> allowList = new Map<String, String>{'https://foo/...' => 'https://foo/...'}
if (!allowList.containsKey('https://foo/...')) {
throw new IllegalArgumentException('uh oh')
}
HttpRequest req = new HttpRequest();
req.setEndpoint(allowList.get('https://foo/...'));
但是 Snyk 对这两种情况都发出了警报。我发现唯一能让 Snyk 相信 URL 是安全的就是将其硬编码到 APEX 类本身中。但这对我来说不是一个选择。
您可以尝试对 URL 进行编码吗...
MyType mdt = [
SELECT Token_Endpoint__c
FROM Google_OAuth2__mdt
LIMIT 1
];
String tokenEndpoint = mdt.Token_Endpoint__c;
String encoded = EncodingUtil.urlEncode(tokenEndpoint , 'UTF-8');
HttpRequest req = new HttpRequest();
req.setEndpoint(encoded);