Code scan for vulnerability test. <Pre lang="java">the method abcaccess() in abccontroller.java mishandles confidential information, which can compromise user privacy and is often illegal.</pre>

Question

1.00/5 (1 vote)

See more:

How to Fix privacy violation issue in java .

Source is :

C#

public void setPassword(String password) {
		this.password = password;
	}

and it is being use in one method:

finalJsonObj.put("userId", user.getUserId());
finalJsonObj.put("userList", userList);
return finalJsonObj.toString();

Although password in in encryption format .I am not sure how to handle and fix this issue.

What I have tried:

I tried using char[] instead of String for password .
But not able to solve the issue .

Posted 25-Sep-16 23:41pm

Member 12759596

Updated 26-Sep-16 3:56am

Add a Solution

Comments

[no name] 26-Sep-16 8:29am

Ask the technical support people for whomever produced whatever code scanner you are using. They are there to help people use their products.

Richard Deeming 26-Sep-16 9:43am

What do you mean by "in encryption format"?

If you're storing passwords using a reversible encryption, then you're doing it wrong. You should only ever store a salted hash of the user's password, using a unique salt per record.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Member 12759596 27-Sep-16 1:15am

Thank you all for your valuable comments.
We are using DES for password encryption and the tool ehich is throwing the error is :Fortify
Thanks Rechard for links .

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Member 9590560 · Answer 1 · 2016-09-26T03:56:00

Having password variable being declared as a string does not necessarily mean it is in readable text. That means it might have string declaration but value being input can be a hash, encrypted string or anything. Best thing to do is check with your code/code of service provider on how this variable is being input.
If you are coder, encrypt/password using irreversible algorithms to ensure even if someone gets that password representation he/she cannot easily decrypt it