...
| Code Block | ||
|---|---|---|
| ||
package com.mycompany.onepackage;
import com.mycompany.otherpackage.MyUtils;
import javax.servlet.http.HttpServletRequest ;
import java.io.FileInputStream;
public class MyClass {
// ...
public void methodThatAccessToFileSystem(HttpServletRequest req) {
String inputFile = req.getParameter("file"); //inputFile tainted
inputFile = MyUtils.validate(inputFile + ".tmp"); //inputFile untainted after validation
return new FileInputStream(SAFE_DIR.getAbsoluteFile() + inputFile);
}
// ...
}
=======================================
package com.mycompany.otherpackage;
import com.mycompany.IMyUtilsClass;
public class MyUtils implements IMyUtilsClass {
// ....
public String validate(String value) {
// ...
// perform string value validation/Canonicalization/Normalization/Sanitization
// ...
return value; // once cleaned up
}
} |
And this is how you should declare the neutralization method in the library xml file:
| Code Block | ||
|---|---|---|
| ||
<!DOCTYPE library SYSTEM "library_metadata.dtd">
<library name="java.custom.libraries">
<class name="com.mycompany.otherpackage.MyUtils" kind="class" supertypes="com.mycompany.IMyUtilsClass">
<method name="validate" signature="validate(java.lang.String)" match="name">
<return type="java.lang.String"/>
<neutralization argpos="-1" kind="path_traversal" resource="web" />
</method>
</class>
</library> |
| Info | ||
|---|---|---|
| ||
Do not forget:
Neutralization argpos, kind and resource arguments will be discussed later... |
Example 2 (Java)
In the next example the neutralization only affects to filesystem resources:
...