Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!

CWE-99: Improper Control of Resource Identifiers ('Resource Injection'):

Avatar

Level 2
Level 2
3/26/24 1:41:03 AM

From My servlet getting ResourceResolver object and passing as a parameter to service class method, Getting veracode issue at my service class method stating at CWE-99 Resource Injection Issue with syntax resourceResolver.getResource(oldDocsPath); Please find the below screen shots from servlet to  service class. Tried with @Scriptvariable , @SlingObject, @reference but veera code scan not clearing the issue. Can anyone please provide solution for the below.

AshokThota_0-1711442099886.pngAshokThota_1-1711442173748.png

 

Views

685

Replies

7
Sign in to like this content

Total Likes

Translate
Translate
7 Replies

Avatar

Level 8
Level 8
3/26/24 1:56:45 AM

Hi @AshokThota 

 

Whether migrateDocuments method of ContentMigrationService class is called properly from your servlet ?
I hope you have used @Reference annotation in your servlet class.

In the method: migrateDocuments have you checked resourceResolver object is null or not?

Views

675

Replies

6
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
3/26/24 2:28:10 AM
In response to Mahesh_Gunaje

Whether migrateDocuments method of ContentMigrationService class is called properly from your servlet ?

---> Yes this is calling properly not having any issues with this.
I hope you have used @reference annotation in your servlet class.

---> Yes

In the method: migrateDocuments have you checked resourceResolver object is null or not?

--> Not checking in migrateDocuments method whether its null nor not, Now I'm validating with Null check will keep you post this

Thanks for your reply  

Views

662

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
3/26/24 2:51:25 AM
In response to Mahesh_Gunaje

In the method: migrateDocuments have you checked resourceResolver object is null or not?

--> validated with null check also but same issue

Views

648

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 8
Level 8
3/26/24 2:56:58 AM
In response to AshokThota

Hi @AshokThota 

 

For testing purpose, can you try in sling servlet as well in service class.

resource=resourceResolver.getResource(resourcePath+"/jcr:content");
					if(resource !=null) {
						ValueMap properties = resource.getValueMap();
						String pageTitle = properties.get("testval", String.class);
					}

make sure that resourcePath should be a valid path, which is present in your jcr node.

Views

638

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 8
Level 8
3/26/24 3:18:24 AM
In response to AshokThota

Hi @AshokThota 

 

Can you pass me your servlet file? Remove/change client specific name to generic name. Then pass me the file here.

Views

618

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 8
Level 8
3/26/24 3:27:18 AM
In response to Mahesh_Gunaje

See my servlet. I am getting the page title in logger statement.

 

package com.abc.core.servlets;

import java.io.IOException;

import javax.servlet.Servlet;
import javax.servlet.ServletException;

import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ValueMap;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;

import org.osgi.service.component.annotations.Component;
import org.apache.sling.api.resource.Resource;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;



@Component(service = Servlet.class, property = { "sling.servlet.paths=" + "/bin/dummyURL",
		"sling.servlet.methods=GET" }, immediate = true)
public class DummyServlet extends SlingAllMethodsServlet {  

	private static final long serialVersionUID = 1L;
	private static final Logger LOGGER = LoggerFactory.getLogger(DummyServlet.class);
	

	/**
	 * Method to get parameters to call APi's and give the response
	 *
	 * @Param request
	 * @Param response
	 * @throws ServletException
	 * @throws IOException
	 */
	@Override
	protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response)
			throws ServletException, IOException {

		try {
			 
			
			ResourceResolver resolver = request.getResourceResolver();
			
			 
			
			Resource resource=resolver.getResource("/content/practice/us/en/jcr:content");
			
			if(resource !=null) {   
				ValueMap properties = resource.getValueMap();
				String pageTitle = properties.get("jcr:title", String.class);
				
				LOGGER.debug("pageTitle="+pageTitle);
			}	
			
		} catch (Exception e) {
			LOGGER.error("IOException occured in SSO Login::", e);
		}
		response.setContentType("text/html");
	}

	 

}

 

check your import statement too. 

Views

604

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Enabling reordering of carousel component cards Solved

Views

64

Likes

0

Replies

1
AEMaaCS: workflow step that changes contents of pages Solved

Views

143

Likes

0

Replies

3
How to restrict number of items that can be added in carousel?

Views

88

Likes

0

Replies

3
Identifier com.adobe.cq.wcm.core.components.models.Page cannot be correctly instantiated by the Use API (500)

Views

94

Likes

0

Replies

4
Using Environment Variables in OSGi configurations as part of String

Views

127

Likes

0

Replies

4