search

adobe / aem-core-wcm-components

Standardized components to build websites with AEM.
https://docs.adobe.com/content/help/en/experience-manager-core-components/using/introduction.html
Apache License 2.0
726 stars 735 forks source link

CWE 99 Improper Control of Resource Identifiers ('Resource Injection') #1949

Open niraj-100 opened 2 years ago

niraj-100 commented 2 years ago

Bug Report

Current Behavior We are using core component 2.15.0, When the OOTB code was scanned against veracode guideline, which is a mandate in our organisation, then we got the below issue

CWE 99 Improper Control of Resource Identifiers ('Resource Injection')

This issue is reported at 2 places /src/main/java/com/adobe/cq/wcm/core/components/internal/servlets/contentfragment/ElementsDataSourceServlet.java, line - 104 /src/main/java/com/adobe/cq/wcm/core/components/commons/editor/dialog/inherited/PageImageThumbnail.java, line - 89

vladbailescu commented 2 years ago

I think these two are false positives in this case.

For https://github.com/adobe/aem-core-wcm-components/blob/core.wcm.components.reactor-2.15.0/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/internal/servlets/contentfragment/ElementsDataSourceServlet.java#L83-L88, we are checking the request parameter against a constant value.

For https://github.com/adobe/aem-core-wcm-components/blob/core.wcm.components.reactor-2.17.14/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/commons/editor/dialog/inherited/PageImageThumbnail.java#L74-L89 we are trying to read a JCR component/node for the item using the user's session, which should be safe.