Issue
I am retrieving Query String from the HttpServletRquest (in Java).
String QueryParameters = httpServletRequest.getQueryString();
Veracode consider this as a flaw,
I tried to validate this query string with Recommended OWASP ESAPI Validator methods, but none of them is working and the scan still identifies it as a flaw.
example :
String QueryParameters = ESAPI.validator().getValidInput("Page",httpServletRequest.getQueryString(),"QueryStringRegEx",false);
QueryStringRegEx is the Regular Expression against which QueryString is getting validated
Solution
I don't know this for a 100% fact, but I think that Veracode (as well as other SAST engines) only remove an XSS taint flag for the ESAPI Encoders but not for the ESAPI Validators. Given the limited scope and context here, I cannot tell whether or not it is safe. (It largely depends on your regex and ether this can be combined with other tainted user input that is being checked elsewhere.)
If you feel it is correct, discuss it with your security team and/or challenge it as a false positive.
Answered By - Kevin W. Wall
Answer Checked By - Clifford M. (JavaFixing Volunteer)