ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modify Rule S5883(Java): Education Framework (APPSEC-62) (#1147)

Browse Source
This commit is contained in:
Pierre-Loup 2022-08-05 17:10:47 +02:00 committed by Christophe Zürn
parent 12290b0e5e
commit 511dd0d576
5 changed files with 117 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/allowed_framework_names.adoc
View File

@ -5,6 +5,7 @@
* Entity Framework Core * Entity Framework Core
* Dapper * Dapper
// Java // Java
* Apache Commons
* JSP * JSP
* Servlet * Servlet
* Spring * Spring

16
rules/S2083/java/how-to-fix-it/java-se.adoc
View File

@ -9,13 +9,13 @@ h| Non-compliant code example
| |
[source,java] [source,java]
---- ----
@RestController @Controller
public class ApiController public class ExampleController
{ {
static private String targetDirectory = "/path/to/target/directory/"; static private String targetDirectory = "/path/to/target/directory/";
@GetMapping(value = "/endpoint") @GetMapping(value = "/delete")
public void endpoint(@RequestParam("filename") filename) throws IOException { public void delete(@RequestParam("filename") String filename) throws IOException {
File file = new File(targetDirectory + filename); File file = new File(targetDirectory + filename);
file.delete(); // Noncompliant file.delete(); // Noncompliant
@ -26,13 +26,13 @@ h| Compliant solution
| |
[source,java] [source,java]
---- ----
@RestController @Controller
public class ApiController public class ExampleController
{ {
static private String targetDirectory = "/path/to/target/directory/"; static private String targetDirectory = "/path/to/target/directory/";
@GetMapping(value = "/endpoint") @GetMapping(value = "/delete")
public void endpoint(@RequestParam("filename") filename) throws IOException { public void delete(@RequestParam("filename") String filename) throws IOException {
File file = new File(targetDirectory + filename); File file = new File(targetDirectory + filename);
String canonicalDestinationPath = file.getCanonicalPath(); String canonicalDestinationPath = file.getCanonicalPath();

14
rules/S5883/common/fix/code-rationale.adoc Normal file
View File

@ -0,0 +1,14 @@
The following code uses the `find` command and expects the user to enter the
name of a file to find on the system.
It is vulnerable to arguments injection because untrusted data is inserted
directly into the arguments of a process call without sanitization. +
The application assumes that incoming data always consists of a specific range
of characters and ignores that some characters might force the `find` command
to start a shell.
In this particular case, an attacker may remove files in `/some/folder` with the following string:
----
'*' -exec rm -rf {} \;
----

46
rules/S5883/java/how-to-fix-it/apache-commons.adoc Normal file
View File

@ -0,0 +1,46 @@
=== How to fix it in Apache Commons
include::../../common/fix/code-rationale.adoc[]
[cols="a"]
|===
h| Non-compliant code example
|
[source,java]
----
@Controller
public class ExampleController
{
@GetMapping(value = "/find")
public void find(@RequestParam("filename") String filename) throws IOException {
CommandLine cmd = new CommandLine("/usr/bin/find . -iname " + filename); // Noncompliant
}
}
----
h| Compliant solution
|
[source,java]
----
@Controller
public class ExampleController
{
@GetMapping(value = "/find")
public void find(@RequestParam("filename") String filename) throws IOException {
CommandLine cmd = new CommandLine("/usr/bin/find");
cmd.addArguments(new String[] {"/usr/bin/find", ".", "-iname", filename});
}
}
----
|===
=== How does this work?
include::../../common/fix/introduction.adoc[]
:sanitizationLib: org.apache.commons.exec.CommandLine.addArguments(String[] addArguments)
include::../../common/fix/sanitize-meta-characters.adoc[]
Here `org.apache.commons.exec.CommandLine.addArguments(String[] addArguments)` takes care of escaping the passed arguments and internally
creates a single string given to the operating system to be executed.

48
rules/S5883/java/how-to-fix-it/java-se.adoc Normal file
View File

@ -0,0 +1,48 @@
=== How to fix it in Java SE
include::../../common/fix/code-rationale.adoc[]
[cols="a"]
|===
h| Non-compliant code example
|
[source,java]
----
@Controller
public class ExampleController
{
@GetMapping(value = "/find")
public void find(@RequestParam("filename") String filename) throws IOException {
Runtime.getRuntime().exec("/usr/bin/find . -iname " + filename); // Noncompliant
}
}
----
h| Compliant solution
|
[source,java]
----
@Controller
public class ExampleController
{
@GetMapping(value = "/find")
public void find(@RequestParam("filename") String filename) throws IOException {
String cmd1[] = new String[] {"/usr/bin/find", ".", "-iname", filename};
Process proc = Runtime.getRuntime().exec(cmd1); // Compliant
}
}
----
|===
++java.lang.Runtime++ is sometimes used over ++java.lang.ProcessBuilder++ due to ease of use. Flexibility in methods often introduces security issues as edge cases are easily missed. The compliant solution logic is also applied to ++java.lang.ProcessBuilder++.
=== How does this work?
include::../../common/fix/introduction.adoc[]
:sanitizationLib: java.lang.Runtime.exec(String[] cmdarray)
include::../../common/fix/sanitize-meta-characters.adoc[]
Here `java.lang.Runtime.exec(String[] cmdarray)` takes care of escaping the passed arguments and internally
creates a single string given to the operating system to be executed.