Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce false positive for Path traversal #291

Closed
2 tasks done
h3xstream opened this issue Apr 7, 2017 · 2 comments
Closed
2 tasks done

Reduce false positive for Path traversal #291

h3xstream opened this issue Apr 7, 2017 · 2 comments
Assignees
@h3xstream
Labels
enhancement New feature or improvement to existing detector.
Milestone
version-1.8.0

Comments

@h3xstream
Copy link
Member

h3xstream commented Apr 7, 2017
edited

Path traversal is one of the detector that can cause a large number of false positive.

Here is a list of API that are safe value to construct a path or filename from.

  • System.getProperty()
  • Calendar.getInstance().get(Calendar.YEAR); / Calendar.getInstance().get(Calendar.MONTH); / ...
  • UUID.randomUUID().toString()
  • File.createTempFile()
  • Files.createTempDirectory()
  • System.currentTimeMillis()
  • System.nanoTime()

TODO :

  • Add the signature to configurations
  • Create test cases to make sure the configurations are effective.
@h3xstream h3xstream added the enhancement New feature or improvement to existing detector. label Apr 7, 2017
@h3xstream h3xstream self-assigned this Apr 7, 2017
@h3xstream
Copy link
Member Author

h3xstream commented Apr 7, 2017
edited

Transfer the state of the parameter to the return value..

  • org/springframework/core/io/support/ResourcePatternResolver.getResources(Ljava/lang/String;)[Lorg/springframework/core/io/Resource;:0
  • java/lang/Class.getResource(Ljava/lang/String;)Ljava/net/URL;:0

Safe:
(Fetching the directory first might be susceptible to path traversal but the files list are ok if the initial folder is ok.)

  • java/io/File.list()[Ljava/lang/String;:
  • java/io/File.list(Ljava/io/FilenameFilter;)[Ljava/lang/String;:
  • java/io/File.listFiles()[Ljava/io/File;:
  • java/io/File.listFiles(Ljava/io/FilenameFilter;)[Ljava/io/File;:
  • java/io/File.listFiles(Ljava/io/FileFilter;)[Ljava/io/File;:
  • java/io/File.getName()Ljava/lang/String;:
  • java/io/File.getParent()Ljava/lang/String;:
  • java/io/File.getParentFile()Ljava/io/File;:
  • java/io/File.getPath()Ljava/lang/String;:

Annotation properties could be considered safe.
This will remove a couple of FP that occurs while scanning framework that evaluate expression in annotations.

h3xstream added a commit to h3xstream/find-sec-bugs that referenced this issue Aug 7, 2017
@h3xstream
Reduce false positive for Path traversal find-sec-bugs#291
a1a27ac
@h3xstream h3xstream added this to the version-1.8.0 milestone Aug 7, 2017
h3xstream added a commit to h3xstream/find-sec-bugs that referenced this issue Aug 7, 2017
@h3xstream
Stub interface for Apache Commons Codec Hex find-sec-bugs#291
f096090
h3xstream added a commit that referenced this issue Aug 7, 2017
@h3xstream
Merge pull request #326 from h3xstream/master
f32cc4e 
Reduce false positive for Path traversal #291
@h3xstream
Copy link
Member Author

Closing this issue as all of the signature where implemented except the Spring Environment.getProperty()..

@h3xstream h3xstream mentioned this issue Oct 4, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@h3xstream h3xstream

Labels
enhancement New feature or improvement to existing detector.
Projects
None yet
Milestone
version-1.8.0
Development

No branches or pull requests
1 participant
@h3xstream