CVE-2022-X51X3
This challenge covers the review of a CVE in a Java codebase and its patch
The Code Review Patch challenges are designed to enhance your skills in identifying security vulnerabilities by reviewing code and understanding patches. In this lab, you are provided with a Java class JsonErrorReportValve.java
from the Apache Tomcat project, which is responsible for generating JSON error reports. Initially, you should attempt to find vulnerabilities in the code without looking at the patch. If you face difficulties, you can refer to the patch to understand the changes made to address the issues.
The provided patch introduces several important security improvements. It ensures the error report is only generated for appropriate HTTP status codes and prevents generating reports if an error has not been explicitly marked. Additionally, the patch incorporates the use of JSONFilter.escape()
to sanitize user input in the JSON response, mitigating potential injection attacks. Understanding these changes highlights the importance of validating and sanitizing inputs and the conditions under which error information is exposed.