我正在使用bean在我的Java EE应用程序中发送邮件。我发送邮件的类是通过xDoclet生成的。类代码如下
import java.util.Arrays;
import javax.ejb.EJBException;
import javax.ejb.RemoveException;
import javax.jms.JMSException;
import javax.jms.MapMessage;
import com.logger.LoggerFactory;
import com.logger.LoggerInterface;
import com.messaging.MailComponent;
import com.LoggerWithUserId;
/**
* <!-- begin-xdoclet-definition -->
*
* @ejb.bean name="MessageListener" acknowledge-mode="Auto-acknowledge"
* destination-type="javax.jms.Queue"
*
* transaction-type="Container" destination-jndi-name="MessageListener"
*
* @ejb.transaction="Supports"
*
* <!-- end-xdoclet-definition -->
* @generated
*/
public class MessageListenerBean implements javax.ejb.MessageDrivenBean,
javax.jms.MessageListener {
private static final LoggerWithUserId logger=new LoggerWithUserId(MessageListenerBean.class);
/**
* <!-- begin-user-doc --> <!-- end-user-doc --> The context for the
* message-driven bean, set by the EJB container.
*
* @generated
*/
private javax.ejb.MessageDrivenContext messageContext = null;
/**
* Required method for container to set context.
*
* @generated
*/
public void setMessageDrivenContext(
javax.ejb.MessageDrivenContext messageContext)
throws javax.ejb.EJBException {
this.messageContext = messageContext;
}
/**
* Required creation method for message-driven beans.
*
* <!-- begin-user-doc --> <!-- end-user-doc -->
*
* <!-- begin-xdoclet-definition -->
*
* @ejb.create-method <!-- end-xdoclet-definition -->
* @generated
*/
public void ejbCreate() {
// no specific action required for message-driven beans
}
/**
* Required removal method for message-driven beans. <!-- begin-user-doc -->
* <!-- end-user-doc -->
*
* @generated
*/
public void ejbRemove() {
messageContext = null;
}
public static final LoggerInterface LOG = LoggerFactory
.getLogger(MessageListenerBean.class);
public void onMessage(javax.jms.Message message) {
String i;
MapMessage mapMsg = (MapMessage) message;
String toListArray[] = null;
String ccListArray[] = null;
String from = null;
String subject = null;
String content = null;
try {
String toEmailAddress = mapMsg.getString("toAddress");
String ccEmailAddress = mapMsg.getString("ccAddress");
from = mapMsg.getString("from");
subject = mapMsg.getString("subject");
content = mapMsg.getString("body");
String tempTo = toEmailAddress.replace("[", "");
String toStrAddress = tempTo.replace("]", "");
String tempCC = ccEmailAddress.replace("[", "");
String ccStrAddress = tempCC.replace("]", "");
if (!("".equals(toStrAddress))) {
toListArray = toStrAddress.split(",");
LOG.debug("To array list is------->" + " " + Arrays.toString(toListArray));
}
if (!("".equals(ccStrAddress))) {
ccListArray = ccStrAddress.split(",");
LOG.debug("CC array list is------->" + " " + Arrays.toString(ccListArray));
}
try {
MailComponent mailcomp = new MailComponent();
mailcomp.postMail(toListArray, ccListArray, subject, content,
from);
} catch (Exception e) {
logger.error("Exception occurred => ", e);
logger.error("Exception Type =>"+e);
}
} catch (JMSException e) {
throw new EJBException(e);
}
}
/**
*
*/
public MessageListenerBean() {
// TODO Auto-generated constructor stub
}
}
现在,我在这个类的checkmarx中遇到了一些安全问题 - 在JMS中对行中的不受信任数据进行反序列化
String toEmailAddress = mapMsg.getString("toAddress");
String ccEmailAddress = mapMsg.getString("ccAddress");
from = mapMsg.getString("from");
subject = mapMsg.getString("subject");
content = mapMsg.getString("body");
我无法找到解决问题的方法。请提供建议。
在try块内移动强制转换,它可能会解决checkmarx问题:
MapMessage mapMsg = (MapMessage) message;