How to fix Trust Boundary Violation flaw in Java Web application

java security veracode

29,422

Solution 1

Simply use a regular expression to validate the userName according to the rules your usernames follow:

if(userName.matches("[0-9a-zA-Z_]+")
     session.setAttribute(Constant.USERNAME, userName);

Solution 2

VeraCode will require you to file a mitigation with them. They will schedule a consultation with you and there you can show them the code fix(s) implemented and they will then mark the mitigation approved.

Yes, I know this is late but others may trip through and it needs to be pointed out.

29,422

Author by

user1782009

Updated on January 14, 2021

Comments

user1782009 over 3 years

I am receiving a Trust Boundary Violation from Veracode. My code is

userName= req.getParameter(Constant.USERNAME);
session.setAttribute(Constant.USERNAME, userName); //At this line i am getting Trust Boundry Violation flaw.

How can I validate userName to avoid a trust boundary violation flaw?

John Smith over 11 years

this matches a name only containing alphanumeric letters and underline. you should also write an else block that results in some error for the user.
user1782009 over 11 years

Thanks for the reply. I applied this validation but still i am getting trust boundary vioaltion on the same line. Is there any other way to put value in something rather than in session because whereever i am getting this flaw at those places i am putting some value in session only. Please help me on this...
Vitaly Osipov about 11 years

This signature is among the more meaningless ones. Tell your scanner folks this is nonsense and ask them to prove otherwise ;)
John Smith almost 11 years

correct, after adding validation, the error from VeraCode is simply wrong.