Enumeration params = req.getParameterNames();
String sPrefix = "prefix_";
while (params.hasMoreElements())
{
String paramName = (String) params.nextElement();
if (paramName.startsWith(sPrefix))
{
String value = (Tool.getValue(req.getParameter(paramName)));
try {
session.setAttribute(ESAPI.validator().getValidInput("SafeCheckString",paramName,"SafeCheckString",1024,true), ESAPI.validator().getValidInput("SafeCheckString",value,"SafeCheckString",1024,true));//flaw
}
catch (ValidationException e)
{
ServiceHandler.writeException("Validation Exception occured while validating Input",e);
} catch (IntrusionException e)
{
ServiceHandler.writeException("Intrusion Exception occured while validating Input",e);
}
}
}
I'm getting trust boundary violation in the code (session.setAttribute(....) while triggering veracode.
How can i solve this.
Currently we have few trust boundary violation (CWE ID 501) flaws in our application. The recommended solution to fix this was to validate the input against a regex. Thus, we used ESAPI.validator.getValidInput() API. but the flaws are still not getting mitigated.