...
In the next example the neutralization only affects to filesystem resources:
Code Block | ||
---|---|---|
| ||
<!DOCTYPE library SYSTEM "library_metadata.dtd"> <library name="custom.libraries"> <class name="com.mycompany.CustomFile" kind="class" supertypes="java.io.File"> <method name="sanitize" signature="sanitize()">package com.mycompany.onepackage; import com.mycompany.otherpackage.CustomFile; import javax.servlet.http.HttpServletRequest; import java.io.FileInputStream; public class MyClass { // ... public void methodThatAccessToFileSystem(HttpServletRequest req) { String <neutralizationinputFile argpos="-2" kind="string" resource="filesystem"/> req.getParameter("file"); //inputFile tainted CustomFile </method> file </class> </library> | ||
Code Block | ||
| ||
import com.mycompany.CustomFile; public class MyUtils { public void methodThatAccessToFileSystem(HttpServletRequest req) {= new CustomFile(inputFile); file.sanitize(); //file untainted after sanitization Stringreturn inputFile = req.getParameter("file"); //inputFile tainted CustomFile file = new CustomFile(inputFile); file.sanitize(); //file untainted after sanitization return new FileInputStream(SAFE_DIR.getAbsoluteFile() + file); } } |
Reference
Structure of Custom Neutralization File (CNF)
Info |
---|
Any CNF must be an XML file with the following structure:
|
Next sections describe this structure.
Reference to master DTD file
Reference to master DTD must be specified in the 1st line.
Next table shows specific content depending on the technology:
Tech | DTD specification | DTD location |
---|---|---|
abap | <!DOCTYPE library SYSTEM "abap_library.dtd"> | [agent_home_dir]/libraries/abap |
c / cpp | <!DOCTYPE library SYSTEM "cpp_library.dtd"> | [agent_home_dir]/libraries/c |
csharp | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
java | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
javascript | <!DOCTYPE library SYSTEM "js_library_metadata.dtd"> | [agent_home_dir]/libraries/javascript |
objectivec | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
php | <!DOCTYPE library SYSTEM "php_library.dtd"> | [agent_home_dir]/libraries/php |
python | <!DOCTYPE library SYSTEM "python_library_metadata.dtd"> | [agent_home_dir]/libraries/python |
Neutralization elements
A neutralization is defined in Kiuwan by the following element:
new FileInputStream(SAFE_DIR.getAbsoluteFile() + file);
}
}
=====================================
package com.mycompany.otherpackage;
import java.io.File;
public class CustomFile extends File {
//..
public void sanitize() {
// perform file sanitization
}
} |
Neutralization declaration in the library xml file:
Code Block | ||
---|---|---|
| ||
<!DOCTYPE library SYSTEM "library_metadata.dtd">
<library name="java.custom.libraries">
<class name="com.mycompany.otherpackage.CustomFile" kind="class" supertypes="java.io.File">
<method name="sanitize" signature="sanitize()">
<neutralization argpos="-2" kind="string" resource="filesystem"/>
</method>
</class>
</library> |
Neutralization elements
A neutralization is defined in Kiuwan by the following element:
Code Block | ||
---|---|---|
| ||
<!ELEMENT | ||
Code Block | ||
| ||
<!ELEMENT neutralization (#PCDATA)*>
<!ATTLIST neutralization
argpos CDATA #REQUIRED
kind CDATA #IMPLIED
resource %resource; #IMPLIED
> |
...
argpos
Info | ||
---|---|---|
| ||
argpos attribute specifies the “tainted” object, i.e. what object (or objects) are “untainted” by the routine. |
In a typical method call, there are several objects involved:
value = obj.call( arg1, arg2)
The neutralization routine can “untaint” one or many of those objects.
argpos
...
attribute specifies which ones, as follows:
- “-2” : untainted object will the caller to the routine => obj
- “-1” : untainted object will the returned object => value
- “0 … n” : argument with that index will be untainted => arg1 if 0, arg2 if 1, both if 0,1
kind
A neutralization routine is usually applied to a specific vulnerability type (or “kind”).
Info | ||
---|---|---|
| ||
kind attribute indicates the kind of vulnerability affected by this neutralization, like "xss", "sql_injection", "open_redirect", etc. |
To see the exact attribute value, locate the vulnerability you need to neutralize, open the sink data and see Category value.
You can include as many neutralization elements as vulnerability types your routine neutralizes.
<neutralization argpos="-1" kind="sql_injection"/>
<neutralization argpos="-1" kind="xss"/>
In case you want the neutralization applies to ALL the vulnerabilities (i.e. it’s not specific to any vulnerability), set “string” as the value for “kind” attribute
resource
A neutralization routine also can be specifically suited to a
...
particular resource
...
type.
For example, your neutralization routine could be applied to “database” or “filesystem” resource types.
Valid values
...
of resource
...
can be one of (memory |os |configuration |environment |filesystem |formatstr |database |web |network |gui |crypto |other).
As above, check the Sink Data to set the appropriate value. That’s the value you must indicate in “kind” attribute.
Reference
Structure of Custom Neutralization File (CNF)
Info |
---|
Any CNF must be an XML file with the following structure:
|
Next sections describe this structure.
Reference to master DTD file
Reference to master DTD must be specified in the 1st line.
Next table shows specific content depending on the technology:
Tech | DTD specification | DTD location |
---|---|---|
abap | <!DOCTYPE library SYSTEM "abap_library.dtd"> | [agent_home_dir]/libraries/abap |
c / cpp | <!DOCTYPE library SYSTEM "cpp_library.dtd"> | [agent_home_dir]/libraries/c |
csharp | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
java | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
javascript | <!DOCTYPE library SYSTEM "js_library_metadata.dtd"> | [agent_home_dir]/libraries/javascript |
objectivec | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
php | <!DOCTYPE library SYSTEM "php_library.dtd"> | [agent_home_dir]/libraries/php |
python | <!DOCTYPE library SYSTEM "python_library_metadata.dtd"> | [agent_home_dir]/libraries/python |