Header Manipulation vulnerabilities flagged by FoD

opentext-idol / java-aci-api-ng

IDOL ACI API NG for Java

MIT License

4 stars 6 forks source link

Header Manipulation vulnerabilities flagged by FoD #7

Open kyra-ohare opened 3 years ago

kyra-ohare commented 3 years ago

Fortify on Demand has flagged this class containing unvalidated data in an HTTP response header.

When Content-Encoding is type "deflate", FoD complains that the data, which enters through getEntity() on line 95, leaves without being validated through setEntity() on line 97. However, the same does not happen when Content-Encoding is type "gzip".

dermot-hardy commented 3 years ago

I've looked at the FoD issue and I believe that it is a false positive.