...
As a suggestion, we recommend use something as “[technology].custom.library”
Please, refer to technology-specific DTD for available “library” attributes.
Custom Neutralization routines
As As said above, a Neutralization Routine is a piece of code that assures that any tainted data got as input produces untainted as output.
...
Once, the routine is “declared”, must be “marked” as a neutralization routine as follows. See the reference section for more details on how to declare a routine.
Examples
Let’s see some explained examples of custom neutralizations:
Example 1
In this example the method validate is a custom neutralization for a path from a source to a path traversal sink. The input of method validate is neutralized and the output, referred by argpos -1, is untainted after the validation is executed. The next source code shows an example of how to use the neutralization.
Code Block | ||
---|---|---|
| ||
<!DOCTYPE library SYSTEM "library_metadata.dtd">
<library name="custom.libraries">
<class name="com.mycompany.MyClass" kind="class" supertypes="com.mycompany.IMyClass">
<method name="validate" signature="validate(java.lang.String)" match="name">
<return type="java.lang.String"/>
<neutralization argpos="-1" kind="path_traversal"/>
</method>
</class>
</library> |
Code Block | ||
---|---|---|
| ||
import com.mycompany.MyClass;
public class MyUtils {
public void methodThatAccessToFileSystem(HttpServletRequest req){
String inputFile = req.getParameter("file"); //inputFile tainted
inputFile = MyClass.validate(inputFile + ".tmp";) //inputFile untainted after validation
return new FileInputStream(SAFE_DIR.getAbsoluteFile() + inputFile);
}
} |
Example 2
In the next example the neutralization only affects to filesystem resources:
Code Block | ||
---|---|---|
| ||
<!DOCTYPE library SYSTEM "library_metadata.dtd">
<library name="custom.libraries">
<class name="com.mycompany.CustomFile" kind="class" supertypes="java.io.File">
<method name="sanitize" signature="sanitize()">
<neutralization argpos="-2" kind="string" resource="filesystem"/>
</method>
</class>
</library> |
Code Block | ||
---|---|---|
| ||
import com.mycompany.CustomFile;
public class MyUtils {
public void methodThatAccessToFileSystem(HttpServletRequest req) {
String inputFile = req.getParameter("file"); //inputFile tainted
CustomFile file = new CustomFile(inputFile);
file.sanitize() //file untainted after sanitization
return new FileInputStream(SAFE_DIR.getAbsoluteFile() + file);
}
} |
Reference
Structure of Custom Neutralization File (CNF)
...