New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New detector for potential XML injection #663
New detector for potential XML injection #663
Conversation
The new detector detects cases where an unsafe string is injected into an XML string. See: https://wiki.sei.cmu.edu/confluence/display/java/IDS16-J.+Prevent+XML+Injection
I really like the idea of this detector. XSS tagIf you look at XssServletDetector.java, you will see that you can add a method One of the tag is XSS_SAFE. In your case, this could be helpful to eliminate false positive when an escape function for XML/HTML is used. |
Thank you for taking your time to review my PR. I checked the |
I updated the test cases just to illustrate what I have in mind that would be the basic test cases to support. Quick notes:
|
Here is working implementation: Just do a |
Thank you for working on this. Your implementation is more cleaner. Sorry, I am quite new to the taint analysis, I already learned a lot but I did not have enough knowledge to implement the checker based on the Is the false-positive rate acceptable? I also have a question: is removing |
I also have a question: is removing injectableMethod from InjectionPoint necessary for this particular detector? Or could it be a separate PR? No it is a refactor I inserted in the PR. A new PR would makes sense.. but since it is just a small change (unused method) I didn't care too much. 😄 |
I will probably release before we integrate the PR because it need some testing. The test cases that you linked are excellent! I look at all the 41 cases, here is what I found. Here are the false positive I found:
Supporting those two scenario would improve all other rules that use taint analysis. |
Not a problem, if the next release is not too far. I am glad that you plan a release now because our users were asking exactly this question. Anyway, what kind of further tests do you suggest?
We randomly picked some open-source projects which are different enough to test different detectors of SpotBugs and FindSecBugs. We always try our modifications on them before creating a PR.
OK, but how could we detect this automatically? Based on its name?
Strange, because I see this line in
I thought that this meanse that every method of this class is safe.
|
Any news regarding this, @h3xstream? I intend to fix th two scenarios you mentioned, but please answer my questions in my previous comment to be able to do it. Thus how should I tell the detector that |
I must apolagize for the delay.. TLDR: It look ready. By the way thanks for cleaning up the code in your last commit. 👌 |
The new detector detects cases where an unsafe string is injected into an XML string.
See: https://wiki.sei.cmu.edu/confluence/display/java/IDS16-J.+Prevent+XML+Injection