...
| Info |
|---|
Any custom neutralization routine must be defined in a custom neutralizations file (xml format). Name of the file is irrelevant but location is quite important. |
Locations and precedence
Neutralization routines can be configured at different scopes
...
| Code Block |
|---|
<library name="java.custom.libraries"/> |
As a suggestion, we recommend use something as “[technology].custom.library”
...
As said above, a Neutralization Routine is a piece of code that assures that any tainted data got as input produces untainted data as output.
That piece of code is typically a function or a class method (depending whether your technology is object-oriented or not).
...
In this example the method validate is a custom neutralization for a path from a source to a path traversal sink. The input of method validate is neutralized and the output, (referred by argpos -1 in the neutralization definition in the xml library), is untainted after the validation is executed. The next source code shows an example of how to use the neutralization.
| Code Block | ||
|---|---|---|
| ||
package com.mycompany.onepackage;
import com.mycompany.otherpackage.MyUtils;
import javax.servlet.http.HttpServletRequest ;
import java.io.FileInputStream;
public class MyClass {
// ...
public void methodThatAccessToFileSystem(HttpServletRequest req) {
String inputFile = req.getParameter("file"); //inputFile tainted
inputFile = MyUtils.validate(inputFile + ".tmp"); //inputFile untainted after validation
return new FileInputStream(SAFE_DIR.getAbsoluteFile() + inputFile);
}
// ...
}
=======================================
package com.mycompany.otherpackage;
import com.mycompany.IMyUtilsClass;
public class MyUtils implements IMyUtilsClass {
// ....
public String validate(String value) {
// ...
// perform string value validation/Canonicalization/Normalization/Sanitization
// ...
return value; // once cleaned up
}
} |
| Code Block | ||
|---|---|---|
| ||
<!DOCTYPE library SYSTEM "library_metadata.dtd">
<library name="java.custom.libraries">
<class name="com.mycompany.otherpackage.MyUtils" kind="class" supertypes="com.mycompany.IMyUtilsClass">
<method name="validate" signature="validate(java.lang.String)" match="name"> | ||
<!DOCTYPE library SYSTEM "library_metadata.dtd">
<library name="custom.libraries">
<class name="com.mycompany.MyClass" kind="class" supertypes="com.mycompany.IMyClass">
<method name="validate" signature="validate(java.lang.String)" match="name">
<return type="java.lang.String"/>
<neutralization argpos="-1" kind="path_traversal"/>
</method>
</class>
</library> | ||
| Code Block | ||
| ||
import com.mycompany.MyClass; public class MyUtils { public void methodThatAccessToFileSystem(HttpServletRequest req) { String inputFile = req.getParameter("file"); //inputFile tainted <return inputFile = MyClass.validate(inputFile + ".tmp"); //inputFile untainted after validation return new FileInputStream(SAFE_DIR.getAbsoluteFile() + inputFile); } }type="java.lang.String"/> <neutralization argpos="-1" kind="path_traversal"/> </method> </class> </library> |
Example 2 (Java)
In the next example the neutralization only affects to filesystem resources:
...