...
Let’s see some explained examples of custom neutralizations:
Example 1 (Java)
In this example the method validate is a custom neutralization for a path from a source to a path traversal sink. The input of method validate is neutralized and the output, referred by argpos -1, is untainted after the validation is executed. The next source code shows an example of how to use the neutralization.
...
Code Block | ||
---|---|---|
| ||
import com.mycompany.MyClass; public class MyUtils { public void methodThatAccessToFileSystem(HttpServletRequest req) { String inputFile = req.getParameter("file"); //inputFile tainted inputFile = MyClass.validate(inputFile + ".tmp");) //inputFile untainted after validation return new FileInputStream(SAFE_DIR.getAbsoluteFile() + inputFile); } } |
Example 2 (Java)
In the next example the neutralization only affects to filesystem resources:
...
Code Block | ||
---|---|---|
| ||
import com.mycompany.CustomFile;
public class MyUtils {
public void methodThatAccessToFileSystem(HttpServletRequest req) {
String inputFile = req.getParameter("file"); //inputFile tainted
CustomFile file = new CustomFile(inputFile);
file.sanitize(); //file untainted after sanitization
return new FileInputStream(SAFE_DIR.getAbsoluteFile() + file);
}
} |
...