今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#Spring

找到 22 篇相关文章

AI 资讯

Applying Checkov to Terraform as Code – A TFSEC Alternative

Static Application Security Testing (SAST) is a critical practice in modern DevSecOps. While tools like SonarQube, Snyk, and Veracode are popular, this article focuses on GitHub CodeQL – a semantic code analysis engine that treats code as a database. We will apply it to a vulnerable Java Spring Boot application to detect SQL Injection and Path Traversal. 🤔 Why CodeQL? Unlike pattern-based scanners, CodeQL builds a relational database of your code, including abstract syntax trees, control flow graphs, and data flow graphs. This allows it to track tainted data across functions, classes, and files, drastically reducing false positives. 🚨 Target Application (Vulnerable Java App) Let's look at a simple REST API with two vulnerable endpoints. File: UserController.java package com.demo.controller ; import com.demo.model.User ; import org.springframework.beans.factory.annotation.Autowired ; import org.springframework.jdbc.core.JdbcTemplate ; import org.springframework.web.bind.annotation.* ; import java.nio.file.Files ; import java.nio.file.Paths ; import java.util.List ; @RestController @RequestMapping ( "/api" ) public class UserController { @Autowired private JdbcTemplate jdbcTemplate ; // Vulnerability 1: SQL Injection @GetMapping ( "/users" ) public List < User > getUsers ( @RequestParam ( "id" ) String userId ) { String sql = "SELECT * FROM users WHERE id = " + userId ; // Dangerous concatenation return jdbcTemplate . query ( sql , ( rs , rowNum ) -> new User ( rs . getString ( "id" ), rs . getString ( "name" ))); } // Vulnerability 2: Path Traversal @GetMapping ( "/file" ) public String readFile ( @RequestParam ( "filename" ) String filename ) throws Exception { return new String ( Files . readAllBytes ( Paths . get ( "/var/data/" + filename ))); } } 🛠️ Installing and Configuring CodeQL CLI You can run CodeQL locally to analyze your code before pushing it to a repository. 1. Download CodeQL from GitHub releases: wget [ https://github.com/github/codeql-cli-binaries/re

2026-06-06 原文 →
AI 资讯

Rest Template - API for developers- Spring Boot

RestTemplate is a synchronous Spring Framework client used to consume RESTful web services by simplifying HTTP communication. Synchronous Communication: It blocks the execution thread until a response is received.HTTP Methods: It provides built-in methods for standard operations like GET, POST, PUT, and DELETE.Automatic Mapping: It can automatically convert JSON or XML responses into Java domain objects using message converters.Status: While widely used, it is in maintenance mode. For new projects, Spring recommends using the modern RestClient or the reactive. Its an automate work. getForObject() Performs a GET request and returns the response body directly as an object. getForEntity() Performs a GET request and returns a ResponseEntity (includes status and headers). postForObject() Sends data via POST and returns the mapped response body. exchange() A general-purpose method for all HTTP verbs, offering full control over headers and request entities. getForObject- Controller Snippet Response is received in Object format. @RestController @RequestMapping("/api") public class ApiController { @Autowired private ApiService apiService; @GetMapping("/getUsers") public String users() { return apiService.getUsers(); } Service snippet: @Service public class ApiService { @Autowired private RestTemplate restTemplate; @Autowired UserApiRepo userApiRepo; public String getUsers() { String url = "https://jsonplaceholder.typicode.com/users"; String response = restTemplate.getForObject(url, String.class); return response; } Response: "id": 1, "name": "Leanne Graham", "username": "Bret", "email": "Sincere@april.biz", "address": { "street": "Kulas Light", "suite": "Apt. 556", "city": "Gwenborough", "zipcode": "92998-3874", "geo": { "lat": "-37.3159", "lng": "81.1496" } }, "phone": "1-770-736-8031 x56442", "website": "hildegard.org", "company": { "name": "Romaguera-Crona", "catchPhrase": "Multi-layered client-server neural-net", "bs": "harness real-time e-markets" } getForEntity() Respo

2026-05-29 原文 →