...
- Single-Analysis
- Neutralizations can apply only to a unique analysis.
- In this case, the xml file should be located at:
[analysis_base_dir]/libraries/[technology]
- Application-specific
- Neutralizations can apply to all analyses of a specific application.
- In this case, the xml file should be located at:
[agent_home_dir]/conf/apps/[app_name]/libraries/[technology]
- System-wide
- Neutralizations can apply to all analyses of all applications.
- In this case, the xml file should be located at:
[agent_home_dir]/conf/libraries/[technology]
- Exceptions to this rule are:
- cpp engine reads from …/libraries/c
- objective engine reads from …/libraries/objetivec and …/libraries/c
Info | ||
---|---|---|
|
...
|
Warning | ||
---|---|---|
| ||
Never save custom libraries files or edit existing files in folder [ |
As a general recommendation, we suggest to name the xml file as [technology]_custom_neutralizations.xml (this will help to clearly identify your custom files from Kiuwan own files).
...
In this example the method validate is a custom neutralization for a path from a source to a path traversal sink. The input of method validate is neutralized and the output, (referred by argpos -1 in the neutralization definition in the xml library), is untainted after the validation is executed.
The next source code shows an example of how to use the neutralization.:
Code Block | ||
---|---|---|
| ||
package com.mycompany.onepackage; import com.mycompany.otherpackage.MyUtils; import javax.servlet.http.HttpServletRequest ; import java.io.FileInputStream; public class MyClass { // ... public void methodThatAccessToFileSystem(HttpServletRequest req) { String inputFile = req.getParameter("file"); //inputFile tainted inputFile = MyUtils.validate(inputFile + ".tmp"); //inputFile untainted after validation return new FileInputStream(SAFE_DIR.getAbsoluteFile() + inputFile); } // ... } ======================================= package com.mycompany.otherpackage; import com.mycompany.IMyUtilsClass; public class MyUtils implements IMyUtilsClass { // .... public String validate(String value) { // ... // perform string value validation/Canonicalization/Normalization/Sanitization // ... return value; // once cleaned up } } |
Code Block | ||
---|---|---|
| ||
<!DOCTYPE library SYSTEM "library_metadata.dtd"> <library name="java.custom.libraries"> <class name="com.mycompany.otherpackage.MyUtils" kind="class" supertypes="com.mycompany.IMyUtilsClass"> <method name="validate" signature="validate(java.lang.String)" match="name"> <return type="java.lang.String"/> <neutralization argpos="-1" kind="path_traversal" resource="web" /> </method> </class> </library> |
Info | ||
---|---|---|
| ||
Do not forget:
|
Example 2 (Java)
In the next example the neutralization only affects to filesystem resources:
...