I am using Fortify SCA to find the security issues in my application (as a university homework). I have encountered some 'Log Forging' issues which I am not able to get rid off.

Basically, I log some values that come as user input from a web interface:

logger.warn("current id not valid - " + bean.getRecordId()));

and Fortify reports this as a log forging issue, because the getRecordId() returns an user input.

I have followed this article, and I am replacing the 'new line' with space, but the issue is still reported

logger.warn("current id not valid - " + Util.replaceNewLine(bean.getRecordId()));

Can anyone suggest a way to fix this issue?

有帮助吗?

解决方案

Alina, I'm actually the author of the article you used to solve your log injection issue. Hope it was helpful.

Vitaly is correct with regards to Fortify. You'll need to build what Fortify calls a "custom rule".

It will likely be a dataflow cleanse rule. A basic example can be found here: http://www.cigital.com/newsletter/2009-11-tips.php. If you own Fortify, there should be a custom rule writing guide in your product documentation.

I don't know what the taint flag you'll use is, but it would look something like "-LOG_FORGING". You would essentially write a rule to remove the log forging "taint" whenever data is passed through your utility method. Fortify will them assume that any data passed through there is now safe to be written to a log, and will not cause log forging.

其他提示

I know this was already answered, but I thought an example would be nice :)

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
  <RulePackID>D82118B1-BBAE-4047-9066-5FC821E16456</RulePackID>
  <SKU>SKU-Validated-Log-Forging</SKU>
  <Name><![CDATA[Validated-Log-Forging]]></Name>
  <Version>1.0</Version>
  <Description><![CDATA[Validated-Log-Forging]]></Description>
  <Rules version="3.14">
    <RuleDefinitions>
      <DataflowCleanseRule formatVersion="3.14" language="java">
        <RuleID>DDAB5D73-8CF6-45E0-888C-EEEFBEFF2CD5</RuleID>
        <TaintFlags>+VALIDATED_LOG_FORGING</TaintFlags>
        <FunctionIdentifier>
          <NamespaceName>
            <Pattern/>
          </NamespaceName>
          <ClassName>
            <Pattern>Util</Pattern>
          </ClassName>
          <FunctionName>
            <Pattern>replaceNewLine</Pattern>
          </FunctionName>
          <ApplyTo implements="true" overrides="true" extends="true"/>
        </FunctionIdentifier>
        <OutArguments>return</OutArguments>
      </DataflowCleanseRule>
    </RuleDefinitions>
  </Rules>
</RulePack>

You need to mark your replaceNewLine as sanitiser in Fortify (if I remember correctly) and it will stop reporting the issue.

You can actually create a new rule from a particular method.

Navigate to the function on the right side of audit workbench after you've done a scan. Find your sanitizing method and right click on it.

You can generate a rule from it. What you want is a general DataflowCleanseRule.

I just did this based on the xml someone posted above. You can save the rule as a .xml file. When updating your scan you can pass the -rule argument and point at the .xml file.

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top