After running a code scanning on my project, I see the CWE-918 vulnerability, but in the code, the parameters are retrieved from application.properties, so I am unsure how to solve this issue or even if it is an actual issue.
This is the code:
application.properties file:
proxy.host=my.proxy.host
proxy.port=1234
Then the config class where the scanner detects the vulnerability:
public class MyProxyConfig {
@Value("${proxy.host}")
private String myProxyHost;
@Value("${proxy.port}")
private int myProxyPort;
@Bean
public MyBean myBean() {
...
Proxy myProxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(myProxyHost,myProxyPort));
...
return myBean;
}
}
The line where the vulnerability is detected is this one:
Proxy myProxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(myProxyHost,myProxyPort));
I tried looking for info about CWE-918 and to find possible fixes, one of the solutions proposed is to place those values in the code as constants, but I don't think that hardcoding the value of properties as proxy host and port is a good idea.
You didn't provide too many details about the supposed vulnerability, but from afar, this looks like a false positive.
If these properties are read from a configuration file that the end-user (and thus, also the attacker) can't access, there is no vulnerability here. To state it differently - if an attacker needs to gain access to a local file on your server in order to change these values, the fact that they're able to do so once gaining such access is the least of your concerns.