...
Code Block | ||
---|---|---|
| ||
package com.mycompany.onepackage; import com.mycompany.otherpackage.MyUtils; import javax.servlet.http.HttpServletRequest ; import java.io.FileInputStream; public class MyClass { // ... public void methodThatAccessToFileSystem(HttpServletRequest req) { String inputFile = req.getParameter("file"); //inputFile tainted inputFile = MyUtils.validate(inputFile + ".tmp"); //inputFile untainted after validation return new FileInputStream(SAFE_DIR.getAbsoluteFile() + inputFile); } // ... } ======================================= package com.mycompany.otherpackage; import com.mycompany.IMyUtilsClass; public class MyUtils implements IMyUtilsClass { // .... public String validate(String value) { // ... // perform string value validation/Canonicalization/Normalization/Sanitization // ... return value; // once cleaned up } } |
And this is how you should declare the neutralization method in the library xml file:
Code Block | ||
---|---|---|
| ||
<!DOCTYPE library SYSTEM "library_metadata.dtd"> <library name="java.custom.libraries"> <class name="com.mycompany.otherpackage.MyUtils" kind="class" supertypes="com.mycompany.IMyUtilsClass"> <method name="validate" signature="validate(java.lang.String)" match="name"> <return type="java.lang.String"/> <neutralization argpos="-1" kind="path_traversal" resource="web" /> </method> </class> </library> |
Info | ||
---|---|---|
| ||
Do not forget:
Neutralization argpos, kind and resource arguments will be discussed later... |
Example 2 (Java)
In the next example the neutralization only affects to filesystem resources:
...