I have to solve this so called spring modelview injection in an old Spring MVC 2.5 application.
Checkmarx says
“The input processed by showForm in MyClass.java in line 112 is used to construct a ModelAndView object at MyClass.java in line 112”.
This vulnerability is present whenever i use a param coming from the request to generate a dynamic modelview in any type of controller.
I have tried to sanitize the value or to get it from the database but it is still considered vulnerable.
Does anyone know how to solve it?
Thanks
protected ModelAndView showForm(HttpServletRequest request,HttpServletResponse response, BindException errors) throws Exception {
String code= ValidationUtility.sanitizeModelViewPath(request.getParameter("code"), String.class);
String codeDB = myService.findCodeByCode(code);//Gets the param from the db
String url = "redirect:/a/b.do?param=paramValue¶m2=".concat(codeDB);
return new ModelAndView(url);
}
Here is what i’ve tried to do
It would help to know the exact name of the vulnerability that is reported.
In the document it’s called “Spring ModelView Injection”