Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events

CWE-99: Improper Control of Resource Identifiers ('Resource Injection'):

Avatar

Level 2

From My servlet getting ResourceResolver object and passing as a parameter to service class method, Getting veracode issue at my service class method stating at CWE-99 Resource Injection Issue with syntax resourceResolver.getResource(oldDocsPath); Please find the below screen shots from servlet to  service class. Tried with @Scriptvariable , @SlingObject, @reference but veera code scan not clearing the issue. Can anyone please provide solution for the below.

AshokThota_0-1711442099886.pngAshokThota_1-1711442173748.png

 

7 Replies

Avatar

Level 8

Hi @AshokThota 

 

Whether migrateDocuments method of ContentMigrationService class is called properly from your servlet ?
I hope you have used @Reference annotation in your servlet class.

In the method: migrateDocuments have you checked resourceResolver object is null or not?

Avatar

Level 2

Whether migrateDocuments method of ContentMigrationService class is called properly from your servlet ?

---> Yes this is calling properly not having any issues with this.
I hope you have used @reference annotation in your servlet class.

---> Yes

In the method: migrateDocuments have you checked resourceResolver object is null or not?

--> Not checking in migrateDocuments method whether its null nor not, Now I'm validating with Null check will keep you post this

Thanks for your reply  

Avatar

Level 2

In the method: migrateDocuments have you checked resourceResolver object is null or not?

--> validated with null check also but same issue

Avatar

Level 8

Hi @AshokThota 

 

For testing purpose, can you try in sling servlet as well in service class.

resource=resourceResolver.getResource(resourcePath+"/jcr:content");
					if(resource !=null) {
						ValueMap properties = resource.getValueMap();
						String pageTitle = properties.get("testval", String.class);
					}	

make sure that resourcePath should be a valid path, which is present in your jcr node.

Avatar

Level 8

Hi @AshokThota 

 

Can you pass me your servlet file? Remove/change client specific name to generic name. Then pass me the file here.

Avatar

Level 8

See my servlet. I am getting the page title in logger statement.

 

package com.abc.core.servlets;

import java.io.IOException;

import javax.servlet.Servlet;
import javax.servlet.ServletException;

import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ValueMap;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;

import org.osgi.service.component.annotations.Component;
import org.apache.sling.api.resource.Resource;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;



@Component(service = Servlet.class, property = { "sling.servlet.paths=" + "/bin/dummyURL",
		"sling.servlet.methods=GET" }, immediate = true)
public class DummyServlet extends SlingAllMethodsServlet {  

	private static final long serialVersionUID = 1L;
	private static final Logger LOGGER = LoggerFactory.getLogger(DummyServlet.class);
	

	/**
	 * Method to get parameters to call APi's and give the response
	 *
	 * @Param request
	 * @Param response
	 * @throws ServletException
	 * @throws IOException
	 */
	@Override
	protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response)
			throws ServletException, IOException {

		try {
			 
			
			ResourceResolver resolver = request.getResourceResolver();
			
			 
			
			Resource resource=resolver.getResource("/content/practice/us/en/jcr:content");
			
			if(resource !=null) {   
				ValueMap properties = resource.getValueMap();
				String pageTitle = properties.get("jcr:title", String.class);
				
				LOGGER.debug("pageTitle="+pageTitle);
			}	
			
		} catch (Exception e) {
			LOGGER.error("IOException occured in SSO Login::", e);
		}
		response.setContentType("text/html");
	}

	 

}

 

check your import statement too.