Closed roryodonnell closed 2 years ago
What is the scanner's proposed solution? My guess is this is flagged because no verification is done on this string before it is given to the HTTP library. According to the code, this value is only used in certain configurations where an NTLM proxy is being used.
Thanks for t he reply Eric. See below, the "How to fix" details
Thanks. The SDK is more like the "legitimate user" described above in that it uses this URL to do its work and inherently must trust the value passed to it. It has no other way to know or validate the network topology. If the application developer receives proxy URLs from an untrusted source, the application would need to follow the above guidance before putting that data in the SDK's proxy configuration.
Agreed, yes Eric - thank you
Trying to resolve an AppScan HIGH issue. I'm aware that this would have to be fixed in the upstream AWS repo. But perhaps, someone more familiar with the library could recommend a solution, something like setting a default local proxy or something.
org.apache.http.client.HttpClient.execute(HttpUriRequest;HttpContext):HttpResponse com.ibm.cloud.objectstorage.http.AmazonHttpClient:1297