HP Fortify 路径操作验证规则 [英] HP Fortify Validation Rules on Path Manipulation

问题描述

我正在通过 Hp Fortify 运行代码并且有一些路径操作结果.我了解它的上下文并试图解决.

I am running code through Hp Fortify and have some path manipulation findings. I understand the context of it and trying to resolve.

我没有遍历从数据库中查询某些路径值以存储输出文件(日志、导出数据等)的所有位置，而是尝试将其集中起来.因此，我不想让 File.WriteAllText() 带有一些路径 + 文件名、内容，而是想换行

Instead of going through all the places where SOME path values are queried from a database to store output files (logs, export data, whatever), I tried to centralize it. So, instead of having File.WriteAllText() with some path + file name, content, I wanted to wrap into

FortifyFileWriteAllText().然后，在此函数中，我预先进行一次路径验证检查，如果有效，则仅允许写入继续，例如...

FortifyFileWriteAllText(). Then, in this function I do path validation check once up front, and if valid, only then allow the write to continue such as...

public static bool FortifyFileWriteAllText( string fileToWrite, string content)
{
   if( ! MyPathValidationRoutine( fileToWrite ))
      return false;

   File.WriteAllText( fileToWrite, content );
   return true;
}

所以，我知道这是实际验证和防止错误写入的非常简化，但我调用 Path.GetFullPath() 来防止任何此类 ..\..\.. 路径引用.然后查看最终路径，明确阻止诸如根 C:、C:\Windows 和其他一些内容，但还有一个CLEAN"路径列表.

So, I know this is very abbreviated of actual validation and preventing bad writes, but I call Path.GetFullPath() to prevent any such ..\..\.. path references. Then look at the final path an explicitly PREVENT things like root C:, C:\Windows and some others, but also have a "CLEAN" list of paths.

那么，我将如何应用一条规则，说明进入此例程的任何事情都可以，并且已经明确检查并且可以.

So, how would I go about applying a rule that says anything going to this routine is Ok and has explicitly been checked and ok.

推荐答案

如果你做对了，fortify 数据流分析器会沿着你的数据路径追踪，看到一些预期的函数(iegetCanonicalPath(), pattern.matcher(),等)并触发生成 TAINFLAG=VALIDATED_PATH_MANIPULATION 的接收器规则.然后数据流分析器看到这个特定的 TAINTFLAG，它将使问题报告静音.这个过程是设计使然的.如果您实现了函数 FortifyFileWriteAllText()，并且 Fortify 仍然抱怨，可能是因为 fortify 不喜欢您使用的方法.

If you do it right, fortify data flow analyzer will track along your data path, see some expected functions (i.e.getCanonicalPath(), pattern.matcher(), etc) and trigger a sink rule that generating TAINFLAG=VALIDATED_PATH_MANIPULATION. Then the data flow analyzer sees this particular TAINTFLAG, it will mute the issue reporting. This process happens by design. If you implemented function FortifyFileWriteAllText(), and Fortify still complains, it may be because fortify does not like the method you are using.

如果您认为函数 FortifyFileWriteAllText() 确实阻止了 PM，这里是自定义接收器规则，用于为您创建 VALIDATED_PATH_MANIPULATION 污点标志.放到~FORTIFY_HOME/Core/config/rules目录下使用

If you believe that function FortifyFileWriteAllText() does prevent the PM, here is the custom sink rule to create the VALIDATED_PATH_MANIPULATION taint flag for you. Put it to ~FORTIFY_HOME/Core/config/rules directory to use.

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
    <RulePackID>YOUR RULE PACK ANME HERE</RulePackID>
    <SKU>SKU-ANY THING HERE</SKU>
    <Name><![CDATA[ANY THING HERE]]></Name>
    <Version>1.0</Version>
    <Description><![CDATA[]]></Description>
    <Rules version="6.31">
        <RuleDefinitions>
            <DataflowSinkRule formatVersion="6.31" language="java">
                <MetaInfo>
                    <Group name="MyCompany">Path Manipulation Remediation</Group>
                    <Group name="Accuracy">4</Group>
                    <Group name="Impact">3</Group>
                    <Group name="RemediationEffort">3</Group>
                    <Group name="Probability">4</Group>
                    <Group name="audience">targeted,medium,broad,dev,fod</Group>
                </MetaInfo>
                <RuleID>put-your-rule-id here-with-prefix-for-future-statistics</RuleID>
                <VulnKingdom>Input Validation and Representation</VulnKingdom>
                <VulnCategory>Path Manipulation</VulnCategory>
                <DefaultSeverity>3.0</DefaultSeverity>
                <Description ref="desc.dataflow.java.path_manipulation">
                    <Explanation append="true"><![CDATA[This issue is being reported by "your rule name here".]]></Explanation>
                </Description>
                <Sink>
                    <InArguments>this</InArguments>
                    <Conditional>
                        <Not>
                            <TaintFlagSet taintFlag="VALIDATED_PATH_MANIPULATION"/>
                        </Not>
                    </Conditional>
                </Sink>
                <FunctionIdentifier>
                    <NamespaceName>
                        <Pattern>com.yourpackage</Pattern>
                    </NamespaceName>
                    <ClassName>
                        <Pattern>yourclass</Pattern>
                    </ClassName>
                    <FunctionName>
                        <Pattern>FortifyFileWriteAllText</Pattern>
                    </FunctionName>
                    <ApplyTo implements="true" overrides="true" extends="true"/>
                </FunctionIdentifier>
            </DataflowSinkRule>
        </RuleDefinitions>
    </Rules>
</RulePack>

这篇关于HP Fortify 路径操作验证规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！