log forging fortify fix
Asked Answered
C

4

12

I am using Fortify SCA to find the security issues in my application (as a university homework). I have encountered some 'Log Forging' issues which I am not able to get rid off.

Basically, I log some values that come as user input from a web interface:

logger.warn("current id not valid - " + bean.getRecordId()));

and Fortify reports this as a log forging issue, because the getRecordId() returns an user input.

I have followed this article, and I am replacing the 'new line' with space, but the issue is still reported

logger.warn("current id not valid - " + Util.replaceNewLine(bean.getRecordId()));

Can anyone suggest a way to fix this issue?

Correspondence answered 8/10, 2012 at 15:25 Comment(1)
IMHO it's all about content, :) as a good practice you have to sanitize user input, and this should be treated as a warning that in certain situations, like heterogeneous software architectures (calling C app from JAVA) unsanitized user input can be dangerous (replacing new line is far from proper sanitization ;) ), also format attacks can present a threat, if a record ID is a number (Long, Integer, Double) you can skip it :), if it's string you can also skip it but remember about it :).Ingratiating
C
8

Alina, I'm actually the author of the article you used to solve your log injection issue. Hope it was helpful.

Vitaly is correct with regards to Fortify. You'll need to build what Fortify calls a "custom rule".

It will likely be a dataflow cleanse rule. A basic example can be found here: http://www.cigital.com/newsletter/2009-11-tips.php. If you own Fortify, there should be a custom rule writing guide in your product documentation.

I don't know what the taint flag you'll use is, but it would look something like "-LOG_FORGING". You would essentially write a rule to remove the log forging "taint" whenever data is passed through your utility method. Fortify will them assume that any data passed through there is now safe to be written to a log, and will not cause log forging.

Crossroad answered 12/10, 2012 at 5:57 Comment(2)
Thanks John! Following your advice and the documentation I managed to write the custom rule I need. Your article was also very useful.Correspondence
this link does not exists anymore : cigital.com/newsletter/2009-11-tips.phpChilon
D
9

I know this was already answered, but I thought an example would be nice :)

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
  <RulePackID>D82118B1-BBAE-4047-9066-5FC821E16456</RulePackID>
  <SKU>SKU-Validated-Log-Forging</SKU>
  <Name><![CDATA[Validated-Log-Forging]]></Name>
  <Version>1.0</Version>
  <Description><![CDATA[Validated-Log-Forging]]></Description>
  <Rules version="3.14">
    <RuleDefinitions>
      <DataflowCleanseRule formatVersion="3.14" language="java">
        <RuleID>DDAB5D73-8CF6-45E0-888C-EEEFBEFF2CD5</RuleID>
        <TaintFlags>+VALIDATED_LOG_FORGING</TaintFlags>
        <FunctionIdentifier>
          <NamespaceName>
            <Pattern/>
          </NamespaceName>
          <ClassName>
            <Pattern>Util</Pattern>
          </ClassName>
          <FunctionName>
            <Pattern>replaceNewLine</Pattern>
          </FunctionName>
          <ApplyTo implements="true" overrides="true" extends="true"/>
        </FunctionIdentifier>
        <OutArguments>return</OutArguments>
      </DataflowCleanseRule>
    </RuleDefinitions>
  </Rules>
</RulePack>
Derisible answered 30/11, 2012 at 17:39 Comment(0)
C
8

Alina, I'm actually the author of the article you used to solve your log injection issue. Hope it was helpful.

Vitaly is correct with regards to Fortify. You'll need to build what Fortify calls a "custom rule".

It will likely be a dataflow cleanse rule. A basic example can be found here: http://www.cigital.com/newsletter/2009-11-tips.php. If you own Fortify, there should be a custom rule writing guide in your product documentation.

I don't know what the taint flag you'll use is, but it would look something like "-LOG_FORGING". You would essentially write a rule to remove the log forging "taint" whenever data is passed through your utility method. Fortify will them assume that any data passed through there is now safe to be written to a log, and will not cause log forging.

Crossroad answered 12/10, 2012 at 5:57 Comment(2)
Thanks John! Following your advice and the documentation I managed to write the custom rule I need. Your article was also very useful.Correspondence
this link does not exists anymore : cigital.com/newsletter/2009-11-tips.phpChilon
P
3

You need to mark your replaceNewLine as sanitiser in Fortify (if I remember correctly) and it will stop reporting the issue.

Pauper answered 9/10, 2012 at 7:42 Comment(3)
Any more details about this options to mark the method as 'sanitiser'? I am using Fortify Audit Workbench and I cannot find the option.Correspondence
I found out that there is something called "Fortify Java Annotations", I hope I can find more information about this.Correspondence
I am sorry, I have not touched this stuff for a while. Talking to Fortify support is your best option - this is an expensive product and support was ok last time I used it.Pauper
S
0

You can actually create a new rule from a particular method.

Navigate to the function on the right side of audit workbench after you've done a scan. Find your sanitizing method and right click on it.

You can generate a rule from it. What you want is a general DataflowCleanseRule.

I just did this based on the xml someone posted above. You can save the rule as a .xml file. When updating your scan you can pass the -rule argument and point at the .xml file.

Swearword answered 12/5, 2021 at 18:55 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.