Security
Geoweb framework è sottoposto a delle analisi SAST (Static Application Security), che mettono in evidenza potenziali criticità di sicurezza.
Queste vengono eseguite da strumenti automatici, che cercano di capire se ci sono effettivamente problematiche. Nonostante a volte vengono segnalati anche quelli che si potrebbero definire falsi positivi, in quanto a volte l'algoritmo non valute bene le condizioni di contesto, è bene seguire nella scrittura del codice delle linnee guida di security by design.
Qua sono censiti tutta una serie di casistiche delle problematiche segnalate, ed le relative sanificazioni.
Le problematiche tipiche verranno censite ed organizzate meglio man mano.
Attualmente girano due analizer: Semgrep e SpotBugs.
In sintesi:
- Semgrep è utile per chi ha bisogno di analizzare codice sorgente in vari linguaggi, specialmente per trovare vulnerabilità di sicurezza specifiche o seguire pattern di codice pericolosi.
- SpotBugs è altamente specializzato per il codice Java e si concentra sulla rilevazione di errori comuni nel bytecode Java, oltre a vulnerabilità specifiche di Java.
In dettaglio:
Semgrep
Semgrep è uno strumento di analisi statica del codice che si concentra sulla rilevazione di vulnerabilità e pattern nel codice sorgente. È altamente configurabile grazie alle sue regole basate su pattern e supporta una varietà di linguaggi di programmazione.
Caratteristiche:
- Pattern Matching: Utilizza un motore di matching basato su pattern per analizzare il codice alla ricerca di vulnerabilità. Le regole possono essere scritte in YAML e sono molto flessibili.
- Multilingua: Supporta diversi linguaggi, tra cui Java, JavaScript, Python, Ruby, Go e molti altri.
- Regole Personalizzabili: Permette agli utenti di scrivere regole personalizzate per identificare specifici problemi o vulnerabilità nel codice.
- Controllo Flessibile: Le regole possono essere molto dettagliate, permettendo di analizzare porzioni di codice molto precise.
- Performance: Essendo focalizzato sulla ricerca di pattern, è generalmente più veloce di strumenti più pesanti come i compilatori o gli strumenti di analisi approfondita del bytecode.
- Ideale per:
- Rilevare vulnerabilità e problemi di sicurezza nel codice sorgente.
- Analizzare applicazioni scritte in diversi linguaggi.
- Trovare pattern di codice problematico, come vulnerabilità OWASP o codice insicuro.
SpotBugs
SpotBugs è uno strumento di analisi statica specifico per il codice Java. Si concentra sulla ricerca di errori comuni, bug e vulnerabilità all'interno del bytecode Java.
Caratteristiche:
- Java-Specifico: È pensato per l'analisi di applicazioni Java. Non supporta nativamente altri linguaggi, ma si concentra sulle problematiche che si possono incontrare nel bytecode Java.
- Errori e Bug: Rileva potenziali errori o bug nel codice Java, come dereferenziazioni di variabili null, riferimenti a oggetti non inizializzati, e altri problemi comuni nel codice Java.
- Vulnerabilità: Identifica vulnerabilità specifiche nel contesto Java, ma è più focalizzato su problemi legati al bytecode e alla logica del programma.
- Regole Predefinite: Fornisce un set di regole predefinite e puoi anche definire le tue esclusioni e personalizzazioni.
- Integrazione con altri strumenti: Funziona bene in combinazione con altri strumenti di analisi e può essere integrato facilmente in pipeline CI/CD.
- Ideale per:
- Analizzare applicazioni Java per bug, errori logici e vulnerabilità comuni.
- Identificare potenziali problemi nel bytecode Java.
- Utilizzare strumenti di integrazione di sicurezza nell'ambito Java.
- Differenze principali:
- Caratteristica Semgrep SpotBugs
- Linguaggi supportati Multilingua (Java, Python, JavaScript, Go, ecc.) Solo Java
- Tipo di analisi Pattern matching sul codice sorgente Analisi statica del bytecode Java
- Flessibilità delle regole Alta, le regole sono scrivibili in YAML Limitata a regole predeterminate e alcune personalizzazioni
- Focus Sicurezza e pattern nel codice sorgente Bug, errori e vulnerabilità nel bytecode Java
- Velocità Veloce, a causa del pattern matching Più lento, poiché lavora sul bytecode
Attualmente nella pipeline del branch develop viene creato a partire da un report .json (solo semgrep) un file pdf contenente il risultato dell'analisi che viene fatta ad ogni push.
Disabilitare le segnalazioni residue
Dopo aver messo in pratica tutte le best practices per la rimozione/mitigazione della problematica, potrebbe essere necessatio comunque escludere la segnalazione manualmente.
Questo può essere fatto solo dietro un'attenta valutazione del contesto.
segnalazioni Semgrep
Annullare segnalazioni Semgrep con commenti inline:
2 varianti possibili:
// nosemgrep → Disattiva il controllo per la riga successiva. // nosemgrep: <RULE_ID> → Disattiva solo una specifica regola per la riga successiva.
SuppressWarnings (SpotBugs & PMD)
import java.util.Random;
public class Example {
@SuppressWarnings("SECURITY") // Suppress warning per SpotBugs
public void generateRandomNumber() {
Random random = new Random();
System.out.println(random.nextInt());
}
}
Nota: “SECURITY” è un esempio; il valore dipende dall'analizzatore in uso.
@SuppressFBWarnings (SpotBugs)
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
public class Example {
@SuppressFBWarnings("DMI_RANDOM_USED_ONLY_ONCE")
public void generateRandomNumber() {
Random random = new Random();
System.out.println(random.nextInt());
}
}
Nota: “DMI_RANDOM_USED_ONLY_ONCE” è una regola specifica di SpotBugs.
Disattivare regole Semgrep in .semgrepignore
Se vuoi escludere interi file o directory, puoi usare il file .semgrepignore (nella root del progetto):
Modifica # Ignora tutti i file di test src/test/** # Ignora un file specifico src/main/java/com/example/UnsafeCode.java
.semgrepignore attuale
gw-commons-web/src/main/resources/META-INF/static-resources/debug/util/ gw-commons-web/src/main/resources/META-INF/static-resources/debug/dojox/ gw-commons-web/src/main/resources/META-INF/static-resources/debug/dojo/ gw-commons-web/src/main/resources/META-INF/static-resources/debug/dijit/ gw-commons-web/src/main/resources/META-INF/static-resources/debug/dgrid/ gw-commons-web/src/main/resources/META-INF/static-resources/debug/dstore/ gw-commons-web/src/main/resources/META-INF/static-resources/debug/put-selector/ gw-commons-web/src/main/resources/META-INF/static-resources/compressed/dojox/ gw-commons-web/src/main/resources/META-INF/static-resources/compressed/dojo/ gw-commons-web/src/main/resources/META-INF/static-resources/compressed/dijit/ gw-commons-web/src/main/resources/META-INF/static-resources/compressed/dgrid/ gw-commons-web/src/main/resources/META-INF/static-resources/compressed/dstore/ gw-commons-web/src/main/resources/META-INF/static-resources/compressed/put-selector/ gw-commons-web/src/main/resources/META-INF/static-resources/fontawesome/ gw-commons-web/src/main/resources/META-INF/static-resources/ace/ gw-webclient/src/main/resources/META-INF/static-resources/openlayers/ gw-webclient/src/main/resources/META-INF/static-resources/pdfjs/ gw-advanced/src/main/resources/META-INF/static-resources/vis/ gw-3d-visualizer/src/main/resources/META-INF/static-resources/debug/js/pointcloud/ client-desktop/ObjectListView/ client-desktop/RabbitConsumer/ client-desktop/UploadManager/BimDataSetup/ client-desktop/UploadManager/Cde/ client-desktop/UploadManager/packages/ client-desktop/UploadManager/UploadManagerSetup/ client-desktop/ClientCAD/Lib/ client-desktop/ClientCAD/ObjectListView-LibraryOnly/ client-desktop/ClientCAD/packages/ client-desktop/ClientCAD/ClientCAD/ObjectListView-LibraryOnly/ **/profile.js gw-mnemonic-code/ gw-portal-api/ gw-portal-commons/ gw-xkt-visualizer/
javascript
Eval Injection
Improper neutralization of directives in dynamically evaluated code ('Eval Injection')
### Improper neutralization of directives in dynamically evaluated code ('Eval Injection')
**Severity**: High
**Description**:
The application was found calling the `eval` function OR Function()
constructor OR setTimeout() OR setInterval() methods. If the
variables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary
JavaScript
code. This could lead to a full system compromise in Node applications or Cross-site Scripting
(XSS) in web applications.
To remediate this issue, remove all calls to above methods and consider alternative methods for
executing
the necessary business logic. There is almost no safe method of calling `eval` or other above stated sinks with
user-supplied input.
Instead, consider alternative methods such as using property accessors to dynamically access
values.
Example using property accessors to dynamically access an object's property:
```
// Define an object
const obj = {key1: 'value1', key2: 'value2'};
// Get key dynamically from user input
const key = getUserInput();
// Check if the key exists in our object and return it, or a default empty string
const value = (obj.hasOwnProperty(key)) ? obj[key] : '';
// Work with the value
```
For more information on why not to use `eval`, and alternatives see:
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!
Other References:
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function
- https://developer.mozilla.org/en-US/docs/Web/API/setTimeout
- https://developer.mozilla.org/en-US/docs/Web/API/setInterval
**CVE**: semgrep_id:eslint.detect-eval-with-expression:2661:2661
**File**: gw-webclient/src/main/resources/META-INF/static-resources/debug/js/gwActions.js
**Line**: 2661
**Scanner**: Semgrep
**Identifiers**:
- eslint.detect-eval-with-expression: eslint.detect-eval-with-expression (semgrep_id)
- CWE-95: 95 (cwe)
- A03:2021 - Injection: A03:2021 (owasp)
- A1:2017 - Injection: A1:2017 (owasp)
- ESLint rule ID/detect-eval-with-expression: detect-eval-with-expression (eslint_rule_id)
codice affetto
try{ eval('params = '+dar.jsonParam);}catch(e){}
codice sanato
//issue #1502 //----------- var params = gwEvalStringifiedObject(dar.jsonParam); //-----------
ora è disponibile la function
//issue #1502 //----------- function gwEvalStringifiedObject(/*String*/ jsObjString){ //jsObjString is not a valid JSON var parsedObject = null; if(jsObjString!=null && typeof jsObjString==='string'){ jsObjString = jsObjString.replace(/([{,])\s*([a-zA-Z0-9_]+)\s*:/g, '$1"$2":'); //add "" to json keys jsObjString = jsObjString.replace(/'([^']*)'/g, '"$1"'); //replace string values '' delimiters with "" //transform all function in strings, enclosing all within "" jsObjString = jsObjString.replace( /(\bfunction\s*\([^\)]*\)\s*{[^}]*})/g, function(match) { return '"' + match.replace(/"/g, '\\"') + '"'; //escaping "" inside function } ); try { parsedObject = JSON.parse(jsObjString); //search and convert all string "function...." inside the JSON function convertFunctions(obj) { if (Array.isArray(obj)) { return obj.map(convertFunctions); //if is an array, do recursion } else if (typeof obj === 'object' && obj !== null) { Object.keys(obj).forEach(key => { if (typeof obj[key] === 'string' && obj[key].trim().startsWith('function')) { try { obj[key] = new Function('return ' + obj[key])(); //convert the string in Function } catch (e) { console.error('Errore nella conversione della funzione:', e); } } else { obj[key] = convertFunctions(obj[key]); //continue the recursion } }); } return obj; } //convent all the fxs parsedObject = convertFunctions(parsedObject); } catch (e) { console.error('Errore nel parsing del JSON:', e); throw e; } } return parsedObject; } //-----------
JAVA
RelativePathTraversal
Relative Path Traversal
### Relative Path Traversal
**Severity**: Critical
**Description**:
Detected user input controlling a file path. An attacker could control
the location of this file, to include going backwards in the directory
with '../'.
To address this, ensure that user-controlled variables in file
paths are sanitized. You may also consider using a utility method such as
org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file
name from the path.
Example of using `org.apache.commons.io.FilenameUtils.getName(...)` to
only retrieve the file name from the path
```
String fileName = org.apache.commons.io.FilenameUtils.getName(userControlledInput);
File file = new File("/path/to/directory/" + fileName);
```
**CVE**: semgrep_id:java_traversal_rule-RelativePathTraversal:1070:1070
**File**: gw-webclient/src/main/java/com/geowebframework/webclient/controller/commons/ReportController.java
**Line**: 1070
**Scanner**: Semgrep
**Identifiers**:
- java_traversal_rule-RelativePathTraversal: java_traversal_rule-RelativePathTraversal (semgrep_id)
- CWE-23: 23 (cwe)
- A01:2021 - Broken Access Control: A01:2021 (owasp)
- A5:2017 - Broken Access Control: A5:2017 (owasp)
codice affetto
@RequestMapping("fileDoc/{file_doc_name:.+}") ModelAndView fileDoc( @PathVariable String file_doc_name, Locale locale) { ModelAndView modelAndView = new ModelAndView("commons/gwMarkedEdit"); String file_doc_text = null; URL url; try { String downloadUrl = basePath+"/"+file_doc_name; url = new URL(downloadUrl); File currentFile = new File(url.getPath()); ...
codice sanato
Nei casi in cui la parte proveniente dal client è solo un nome, senza path, si può usare
//issue #1502 //----------- //path traversal prevention //CASE 1: input is only the file name (without path) file_doc_name = FilenameUtils.getName(file_doc_name); //sanitizing //-----------
Nei casi in cui la parte proveniente dal client è potenzialmetne un path, si deve usare qualcosa di più sofisticato:
@RequestMapping("fileDoc/{file_doc_name:.+}") ModelAndView fileDoc( @PathVariable String file_doc_name, Locale locale) { ModelAndView modelAndView = new ModelAndView("commons/gwMarkedEdit"); String file_doc_text = null; try { //issue #1502 //----------- //path traversal prevention // get base directory String basePath = ConfigurationProperties.getInstance().getString("basePath") + "documentation"; //issue #1502 //----------- //path traversal prevention // get base directory String basePath = ConfigurationProperties.getInstance().getString("basePath"); // normalize user input path Path baseDir; if(basePath.startsWith("file:/")){ //it supports paths like file:/// //baseDir = Path.of(new URI(basePath)); //Java 11 baseDir = Paths.get(new URI(basePath)); //Java 8 }else{ //it supports paths like 'C:\Projects\' baseDir = Paths.get(basePath); } baseDir = baseDir.toRealPath(); // authorized absolute path Path requestedPath = baseDir.resolve(file_doc_name).normalize(); // normalize path using resolve() to prevent traversal // path traversal prevention if (!requestedPath.startsWith(baseDir)) throw new SecurityException("Unauthorized access to file: " + file_doc_name); URL templateUrl = requestedPath.toUri().toURL(); //----------- File currentFile = new File(templateUrl .getPath());
DangerousGroovyShell
Improper control of generation of code ('Code Injection')
### Improper control of generation of code ('Code Injection')
**Severity**: Critical
**Description**:
This application implements unsafe invocations of methods within the
`groovy.lang.GroovyShell` or `groovy.lang.GroovyClassLoader` classes,
which are used to evaluate or compile Groovy code dynamically. When
user-controlled input is directly passed to `parse`, `evaluate`, or
`parseClass` methods, it can lead to Remote Code Execution (RCE), where an
attacker can execute arbitrary code on the server. This could potentially
allow an attacker to gain unauthorized access to system resources, modify
internal application states, or execute commands on the server depending
on the level of permissions assigned to the application process.
To mitigate this vulnerability, always validate and sanitize all user inputs
before using them in dynamic code evaluations. Consider using safer alternatives
to executing dynamic code if possible. If dynamic code execution is absolutely
necessary, use strict allowlists of safe inputs and context-specific validation.
Secure Code Example:
```
import groovy.lang.GroovyShell;
class SafeDynamicEvaluation {
private static final Set<String> ALLOWED_EXPRESSIONS = new HashSet<>(Arrays.asList(
"println 'Hello World!'",
"println 'Goodbye World!'"));
public static void test4(String[] args, ClassLoader loader) throws Exception {
GroovyShell shell = new GroovyShell();
String userInput = args[0];
// Validate the user input against the allowlist
if (ALLOWED_EXPRESSIONS.contains(userInput)) {
shell.evaluate(userInput);
// shell.parse(userInput);
} else {
throw new IllegalArgumentException("Invalid or unauthorized command.");
}
}
}
```
**CVE**: semgrep_id:java_inject_rule-DangerousGroovyShell:986:986
**File**: gw-upload-manager/src/main/java/com/geowebframework/umplugin/service/CheckInService.java
**Line**: 986
**Scanner**: Semgrep
**Identifiers**:
- java_inject_rule-DangerousGroovyShell: java_inject_rule-DangerousGroovyShell (semgrep_id)
- CWE-94: 94 (cwe)
- A03:2021 - Injection: A03:2021 (owasp)
- A1:2017 - Injection: A1:2017 (owasp)
codice affetto
String groovyCode = (String) result.get(dbField); GroovyShell gs = new GroovyShell(binding); gs.evaluate(groovyCode );
codice sanato
Dopo l'adozione di varie best practices per minimizzare il rischio, usare il commento per l'esclusione della riga. In particolare:
- si verifica la fonte del codice da parsare (groovyCode viene da Geoweb, evitate problematiche relative path traversal)
- si disabilitano degli import particolari (SecureASTCustomizer )
- si verifica che il codice non contenga espressioni non ammesse (GwSecureGroovyShell )
//issue #1502 //----------- CompilerConfiguration config = new CompilerConfiguration(); SecureASTCustomizer secure = new SecureASTCustomizer(); //avoid dangerous call like come System.exit() //not available in java 8 //secure.setDisallowedMethods(Arrays.asList("System.exit", "execute", "getRuntime", "invoke")); //avoid dangerous package secure.setDisallowedImports(Arrays.asList("java.lang.Runtime", "java.lang.ProcessBuilder")); config.addCompilationCustomizers(secure); GwSecureGroovyShell gs = new GwSecureGroovyShell(binding, config); //issue #1502 the comment below disable the semgrep analyzer for the following row //consolidationRule comes from database and is verified //CompilerConfiguration has a SecureASTCustomizer with disallowed import //GwSecureGroovyShell remove forbidden code // nosemgrep return gs.evaluate(groovyCode); //-----------
con classe separata
package com.geowebframework.dataservice.groovy;
import java.util.Arrays;
import java.util.List;
import org.codehaus.groovy.control.CompilerConfiguration;
import groovy.lang.*;
//issue #1502
public class GwSecureGroovyShell extends GroovyShell {
public GwSecureGroovyShell(Binding binding, CompilerConfiguration config) {
super(binding, config);
}
@Override
public Object evaluate(String script) {
//in java 8 cannot use
//secureASTCustomizer.setDisallowedMethods(Arrays.asList("System.exit", "execute", "getRuntime", "invoke"));
List<String> forbiddenList = Arrays.asList(
//"execute",
//"evaluate",
"java.lang.Runtime",
"Runtime.getRuntime()",
"java.lang.ProcessBuilder",
"System.exit",
"invokeMethod",
"parseClass"
);
for(String forbidden : forbiddenList) {
if (script.contains(forbidden)) {
throw new SecurityException("Using forbidden method in groovy: "+forbidden+"\r\nFor security reasons some java method are not usable inside groovy code.\r\n forbidden list: "+forbiddenList.toString()+"");
}
}
return super.evaluate(script);
}
}
Cross-site request forgery (CSRF)
Cross-site request forgery (CSRF)
In generale vengono segnalati tutti i @RequestMapping Spring dove non è imposto alcun method di restrizione, come qui:
@RequestMapping("addClassification")
public ModelAndView themeByIdManagementMAV(@PathVariable Integer id, Locale locale)
{
Per l'analizer non è rilevante se nel controller siano effettivamente presenti o meno logiche di update.
### Cross-site request forgery (CSRF)
**Severity**: Medium
**Description**:
Detected a method annotated with 'RequestMapping' that does not specify
the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or
OPTIONS, and by default all HTTP methods are allowed when the HTTP method
is not explicitly specified. This means that a method that performs state
changes could be vulnerable to CSRF attacks. Cross-Site Request Forgery (CSRF)
is a security vulnerability where an attacker tricks a user into performing
unintended actions on a web application where they are authenticated. This
can lead to unauthorized actions like changing user settings, transferring
funds, or altering passwords, all without the user's knowledge, by exploiting
the trust a web application has in the user's browser.
To mitigate, add the 'method' field and specify the HTTP method (such as
'RequestMethod.POST').
Secure Code Example:
```
@RequestMapping(value = "/path", method = RequestMethod.POST)
public void safe() {
// State-changing operations performed within this method.
}
```
**CVE**: semgrep_id:java_csrf_rule-UnrestrictedRequestMapping:1008:1008
**File**: gw-advanced/src/main/java/com/geowebframework/calendar/controller/AssignmentWPController.java
**Line**: 1008
**Scanner**: Semgrep
**Identifiers**:
- java_csrf_rule-UnrestrictedRequestMapping: java_csrf_rule-UnrestrictedRequestMapping (semgrep_id)
- CWE-352: 352 (cwe)
- A01:2021 - Broken Access Control: A01:2021 (owasp)
- A5:2017 - Broken Access Control: A5:2017 (owasp)
codice affetto
@RequestMapping(value = "keepSessionAlive", produces = "application/json") public @ResponseBody JsonServerResponse keepSessionAlive(Locale locale){
codice sanato
Va esplicitato il method: GET o POST
@RequestMapping(value = "keepSessionAlive", produces = "application/json", method = RequestMethod.GET) //issue #1505 public @ResponseBody JsonServerResponse keepSessionAlive(Locale locale){
In alcuni casi particolari, dove il controller è invocato mediate il tag
<jsp:include ...>
Il metodo della richiesta viene ereditato dalla richiesta ordinaria. Quindi per le richieste, come quelle del dettaglio, che possono essere invocate con entrambi i metodi GET e POST, vanno resi accettabili entrambi. In particolare occhio anche ai controller degli *included nei widget di dettaglio.
//issue #1505 the comment below disable the semgrep analyzer for the following row // nosemgrep @RequestMapping(value = "{projectName}/gwWidget/{detailJspName}/{attributeGwid}/{itemId}", method = {RequestMethod.GET, RequestMethod.POST}) //issue #1505 public ModelAndView widgetDetail( @PathVariable String projectName, @PathVariable String detailJspName, @PathVariable Integer attributeGwid, @PathVariable String itemId, Locale locale ){ ModelAndView modelAndView = new ModelAndView("/commons/widget/"+detailJspName); return modelAndView; }
Cross Site Scripting (XSS)
Improper neutralization of input during web page generation ('Cross-site Scripting')
### Improper neutralization of input during web page generation ('Cross-site Scripting')
**Severity**: Medium
**Description**:
The application is returning user-supplied data from an HTTP request directly into an HTTP
response output
writer. This could lead to Cross Site Scripting (XSS) if the input were malicious
script code and the application server is not properly validating the output.
XSS is an attack which exploits a web application or system to treat user input
as markup or script code. It is important to encode the data depending on the specific context
it is used in. There are at least six context types:
- Inside HTML tags `<div>context 1</div>`
- Inside attributes: `<div class="context 2"></div>`
- Inside event attributes `<button onclick="context 3">button</button>`
- Inside script blocks: `<script>var x = "context 4"</script>`
- Unsafe element HTML assignment: `element.innerHTML = "context 5"`
- Inside URLs: `<iframe src="context 6"></iframe><a href="context 6">link</a>`
Script blocks alone have multiple ways they need to be encoded. Extra care must be taken if
user input
is ever output inside of script tags.
User input that is displayed within the application must be encoded, sanitized or validated
to ensure it cannot be treated as HTML or executed as Javascript code. Care must also be
taken
to not mix server-side templating with client-side templating, as the server-side templating
will
not encode things like {{ 7*7 }} which may execute client-side templating features.
It is _NOT_ advised to encode user input prior to inserting into a data store. The data will
need to be
encoded depending on context of where it is output. It is much safer to force the displaying
system to
handle the encoding and not attempt to guess how it should be encoded.
If possible do not use user input directly in the output to the response writer.
If the application must output user-supplied input, it will need to encode the data depending
on
the output context.
Consider using [Apache Commons Text](https://commons.apache.org/proper/commons-text/)
`StringEscapeUtils` methods for various context. Please note there is no way to safely
output script code in most circumstances, regardless of encoding. If calling the HTTP
response writer directly, ensure that the `Content-Type` is set to `text/plain` so it will
not be accidentally interpreted by HTML by modern browsers.
```
// Get user input
String htmlInput = request.getParameter("userInput");
// Encode the input using the Html4 encoder
String htmlEncoded = StringEscapeUtils.escapeHtml4(htmlInput);
// Force the HTTP response to be content type of text/plain so it is not interpreted as HTML
response.setContentType("text/plain");
// Ensure UTF-8
response.setCharacterEncoding("UTF-8");
// Write response
response.getWriter().write(htmlEncoded);
```
For more information on XSS see OWASP:
- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
**CVE**: semgrep_id:find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1:1327:1327
**File**: gw-webclient/src/main/java/com/geowebframework/webclient/controller/commons/GwClassListController.java
**Line**: 1327
**Scanner**: Semgrep
**Identifiers**:
- find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1: find_sec_bugs.XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER-1 (semgrep_id)
- CWE-79: 79 (cwe)
- A03:2021 - Injection: A03:2021 (owasp)
- A1:2017 - Injection: A1:2017 (owasp)
- Find Security Bugs-XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER (find_sec_bugs_type)
codice affetto
String warningMessage = gwLogService.logMessage( new GwLogMessageBuilder() .warn() .forJava() .setLogger(log) .addMessage("GwClassListController - listThumbnailImageHandle(..) - Error creating thumbnail image") .addMessage("null blob on DB associated to Image CtrlParam") .addFix("Enable in Geoadmin the visualize permission for gwClass '"+className+"'") .addInfoMapEntry("gwClassName", className) .addInfoMapEntry("itemId", itemId) .addInfoMapEntry("attributeGwid", attributeGwid) .addInfoMapEntry("imageName", imageName) .build() ); response.setContentType(MediaType.TEXT_PLAIN_VALUE); response.setContentLength(warningMessage.getBytes().length); response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR ); response.getWriter().write(warningMessage); response.getWriter().flush(); response.getWriter().close();
codice sanato
String warningMessage = gwLogService.logMessage(
new GwLogMessageBuilder()
.warn()
.forJava()
.setLogger(log)
.addMessage("GwClassListController - listThumbnailImageHandle(..) - Error creating thumbnail image")
.addMessage("null blob on DB associated to Image CtrlParam")
.addFix("Enable in Geoadmin the visualize permission for gwClass '"+className+"'")
.addInfoMapEntry("gwClassName", className)
.addInfoMapEntry("itemId", itemId)
.addInfoMapEntry("attributeGwid", attributeGwid)
.addInfoMapEntry("imageName", imageName)
.build()
);
warningMessage = org.apache.commons.text.StringEscapeUtils.escapeHtml4(warningMessage); //issue #1508
response.setContentType(MediaType.TEXT_PLAIN_VALUE);
response.setContentLength(warningMessage.getBytes().length);
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR );
response.getWriter().write(warningMessage);
response.getWriter().flush();
response.getWriter().close();
CS
OS Command Injection
Improper neutralization of special elements used in an OS command ('OS Command Injection')
### Improper neutralization of special elements used in an OS command ('OS Command Injection')
**Severity**: High
**Description**:
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.
User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.
Ensure your application does not:
- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.
The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.
When specifying the OS command, ensure the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).
Example of safely executing an OS command:
```
public void ExecuteCommand(string userFileData) {
// generate a random filename, do not using user input
string fileName = "C:\\Temp\\" + Guid.NewGuid();
File.WriteAllText(fileName, userFileData);
using (Process process = new Process())
{
// hardcode the full process path
ProcessStartInfo processInfo = new ProcessStartInfo("C:\\App\\FileReader.exe");
// only pass in trust arguments, and never direct user input.
processInfo.Arguments = fileName;
processInfo.UseShellExecute = false;
process.StartInfo = processInfo;
process.Start();
}
}
```
For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
**CVE**: semgrep_id:security_code_scan.SCS0001-1:117:117
**File**: client-desktop/ClientCAD/ClientCAD/Dialogs/Main/BulkDialog.cs
**Line**: 117
**Scanner**: Semgrep
**Identifiers**:
- security_code_scan.SCS0001-1: security_code_scan.SCS0001-1 (semgrep_id)
- CWE-78: 78 (cwe)
- A03:2021 - Injection: A03:2021 (owasp)
- A1:2017 - Injection: A1:2017 (owasp)
- SCS0001: SCS0001 (security_code_scan_rule_id)
codice affetto
List<String> files = new List<String>(); String[] filesArr = System.IO.Directory.GetFiles(this.SelectedDirectory.Text, "*.dwg"); foreach (String file in filesArr) { files.Add(file); } String[] directories = System.IO.Directory.GetDirectories(this.SelectedDirectory.Text); foreach(String dir in directories) { List<String> tempFile = new List<String>(); AddSubDirFiles(dir, out tempFile); files.AddRange(tempFile); } this.mBinding.Clear(); Dictionary<string, string> validationSatus = loadValidationStatus(); foreach (String file in files) { try { string md5 = GetMD5HashFromFile(file); ValidationUploadStruct str = new ValidationUploadStruct(); str.FileName = System.IO.Path.GetFileNameWithoutExtension(file);
codice sanato
using System; using System.Collections.Generic; using System.IO; using System.Security.Cryptography; using System.Text; using System.Text.RegularExpressions; public class DwgBulkUploaderForm { public void ProcessFiles() { List<string> files = new List<string>(); string[] filesArr = Directory.GetFiles(this.SelectedDirectory.Text, "*.dwg"); foreach (string file in filesArr) { files.Add(file); } string[] directories = Directory.GetDirectories(this.SelectedDirectory.Text); foreach (string dir in directories) { List<string> tempFile = new List<string>(); AddSubDirFiles(dir, out tempFile); files.AddRange(tempFile); } this.mBinding.Clear(); Dictionary<string, string> validationStatus = LoadValidationStatus(); foreach (string file in files) { try { string md5 = GetMD5HashFromFile(file); ValidationUploadStruct str = new ValidationUploadStruct(); // *** Validazione e sanitizzazione del nome file *** str.FileName = SanitizeFileName(Path.GetFileNameWithoutExtension(file)); } catch (Exception ex) { Console.WriteLine($"Errore nell'elaborazione del file {file}: {ex.Message}"); } } } private string SanitizeFileName(string fileName) { // Rimuove caratteri non validi per i nomi file string sanitized = Regex.Replace(fileName, @"[^a-zA-Z0-9_\-]", ""); // Limita la lunghezza massima per evitare buffer overflow if (sanitized.Length > 255) { sanitized = sanitized.Substring(0, 255); } return sanitized; } }