网关模式

网关模式

关注
发信
关注(28)粉丝(399)

在微服务架构中使用API​​网关模式时无法修复veracode cwe id 918缺陷(SSRF)

本文介绍了在微服务架构中使用API​​网关模式时无法修复veracode cwe id 918缺陷(SSRF)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在 Micro services 体系结构中使用 API网关模式,在该体系结构中,前端Angular应用发出了 HTTP请求到我的 API网关项目,该项目只是一个 ASP.net Core 3.1 Web API 项目.目前,我只有2个 micro服务和一个 API网关,并且它们的类型均为 ASP.net Core 3.1 Web API 项目. API网关项目具有我的 micro服务的所有控制器. API网关的目的仅仅是为了接收来自前端的请求,并向相应的 Micro服务发出 HTTP请求/code>.

I am using API Gateway Pattern in a Micro services architecture in which the Front End Angular app makes an HTTP request to my API Gateway project which is simply a ASP.net Core 3.1 Web API project. Currently I only have 2 micro services and an API Gateway and all of them are of type ASP.net Core 3.1 Web API project. The API Gateway project has all the controllers of my micro services. The purpose of the API Gateway is just to receive the request from Front end and make an HTTP Request to the appropriate Micro service.

现在在我的 API网关项目的 AccountController.cs 中,我有以下代码

Now in the AccountController.cs of my API Gateway project, I have the following code

/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
    _uri = new Uri(uriString: $"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
    using var result = await _client.GetAsync(_uri);
    var content = await result.Content.ReadAsStringAsync();
    return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
}

在stackoverflow上搜索 SSRF 问题后,我在 Veracode社区.

After searching about the SSRF issue on stackoverflow I found the following recommendation at Veracode community.

Stackoverflow 上,我找到了以下解决方法

On Stackoverflow I found the following fix

这意味着我必须先清理输入参数 OrganizationId AccountId ,然后再将它们附加到请求URL.

That means I had to sanitize my input parameters OrganizationId and AccountId before appending them to the request URL.

veracode社区建议

他们提出了查询字符串的解决方案

and they proposed a solution for the query string

在完成所有这些工作之后,我对代码进行了以下更改

After all those stuff, I have made the following changes to my code

  1. 确保OrganizationId和AccountId Guid不为空
  2. URL对字符串进行了编码

这是更改后的代码

/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
    if (organizationId != Guid.Empty && accountId != Guid.Empty)
    {
        string url = HttpUtility.UrlEncode($"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");
        using var result = await _client.GetAsync(url);
        var content = await result.Content.ReadAsStringAsync();
        return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
    }

    return BadRequest();
}

这就是我可以用来清理输入参数 OrganizationId AccountId 的所有措施,但是在所有这些更改之后, veracode 仍然可以识别出 SSRF缺陷

Thats All I could do to sanitize my input parameters OrganizationId and AccountId but after all those changes veracode still identifies a SSRF flaw on line

推荐答案

我发现了一个可解决此问题的技巧,我只是将查询字符串参数附加到httpClient的基址上,而 veracode 停止提供我错了.

I found a hack to fix this issue, I just appended the query string parameters to the Base Address of httpClient and veracode stopped giving me error.

这里是解决方案的样子

/// <summary>
/// Gets the detail of an account by its id
/// </summary>
/// <param name="organizationId">Id of the Organization of which the account belongs to</param>
/// <param name="accountId">Id of Account of which information is being requested</param>
/// <returns>Account's Details</returns>
[HttpGet("{organizationId}/{accountId}")]
public async Task<IActionResult> GetAccountAsync(Guid organizationId, Guid accountId)
{
    if (organizationId != Guid.Empty && accountId != Guid.Empty)
    {
        var httpClient = new HttpClient();

        //Appended the parameters in base address to
        //to fix veracode flaw issue
        httpClient.BaseAddress = new Uri($"{_configurationService.AccountAPI}GetAccount/{organizationId}/{accountId}");

        //passing empty string in GetStringAsync to make sure
        //veracode doesn't treat it like modifying url
        var content = await httpClient.GetStringAsync("");

        return Ok(content.AsObject<MessageResponse<AccountDetailVM>>());
    }

    return BadRequest();
}

这篇关于在微服务架构中使用API​​网关模式时无法修复veracode cwe id 918缺陷(SSRF)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-29 13:43
Powered by LMLPHP ©2024 网关模式 0.037882