How to suppress false positives in Fortify

StackOverflow https://stackoverflow.com/questions/19189746

  •  30-06-2022
  •  | 
  •  

Domanda

I have two questions regarding Fortify.

1 - Lets say I have a windows forms app, which asks for a username and password, and the name of the textbox for password is texboxPassword. So in the designer file, you have the following, generated by the designer.

// 
// texboxPassword
// 
this.texboxPassword.Location = new System.Drawing.Point(16, 163);
this.texboxPassword.Name = "texboxPassword";
this.texboxPassword.Size = new System.Drawing.Size(200, 73);
this.texboxPassword.TabIndex = 3;

Fortify marks this as a password in comment issue. How can I suppress this by creating a custom rule? I don't want to suppress the whole issue because I still would like to catch certain patterns (such as password followed by = or : in comments) but the blanket search where any line that contains password is flagged is creating so many false positives. I looked into creating a structural rule but could not figure out how to remove the associated tag (where can I find the tag for password in comment anyways?)

2 - Let's say I have a custom UI control. This control html encodes everything and in my context, it is good enough to avoid XSS. Needless to say, it is being flagged by Fortify. How can I suppress XSS when I have a certain control type in my UI and all of its methods are safe for XSS (they sanitize) in my context? I have tried a DataflowCleanseRule (with a label just to test the concept) and wanted to mark get_Text() and set_Text() as sanitizer functions, but it did not make a difference and Fortify still flagged it for XSS.

<DataflowCleanseRule formatVersion="3.16" language="dotnet">
                <RuleID>0D495522-BA81-440E-B191-48A67D9092BE</RuleID>
                <TaintFlags>+VALIDATED_CROSS_SITE_SCRIPTING_REFLECTED,+VALIDATED_CROSS_SITE_SCRIPTING_PERSISTENT,+VALIDATED_CROSS_SITE_SCRIPTING_DOM,+VALIDATED_CROSS_SITE_SCRIPTING_POOR_VALIDATION</TaintFlags>
                <FunctionIdentifier>
                    <NamespaceName>
                        <Pattern>System.Web.UI.WebControls</Pattern>
                    </NamespaceName>
                    <ClassName>
                        <Pattern>Label</Pattern>
                    </ClassName>
                    <FunctionName>
                        <Pattern>_Text</Pattern>
                    </FunctionName>
                    <ApplyTo implements="true" overrides="true" extends="true"/>
                </FunctionIdentifier>
                <OutArguments>return</OutArguments>
            </DataflowCleanseRule>

Thank you in advance for your help

È stato utile?

Soluzione

  1. This is parsed using regular expressions. Unless you think you are able to create a regular expression that can parse human language properly, I would leave it alone and just audit it as not an issue.

  2. The Pattern tag uses a java regular expression in the body, so should be used as user2867433 suggested. However, you stated

This control html encodes everything and in my context, it is good enough to avoid XSS

If you are going to use a custom rule, this has to assume that it will work in EVERY context, as say in the future somebody writes a piece of code that uses get_Text and then places this directly into a piece of JavaScript, html encoding will do NOTHING to stop the XSS problem here. I would advise again to audit this as not an issue or a false positive due to the validation used and explain why it's good enough in that context

Altri suggerimenti

Within "Pattern" you can use Java-Regex. So it should work if you use [gs]et_Text

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top