HP Fortify Validation Rules on Path Manipulation

Question

I am running code through Hp Fortify and have some path manipulation findings. I understand the context of it and trying to resolve.

Instead of going through all the places where SOME path values are queried from a database to store output files (logs, export data, whatever), I tried to centralize it. So, instead of having File.WriteAllText() with some path + file name, content, I wanted to wrap into

FortifyFileWriteAllText(). Then, in this function I do path validation check once up front, and if valid, only then allow the write to continue such as...

public static bool FortifyFileWriteAllText( string fileToWrite, string content)
{
   if( ! MyPathValidationRoutine( fileToWrite ))
      return false;

   File.WriteAllText( fileToWrite, content );
   return true;
}

So, I know this is very abbreviated of actual validation and preventing bad writes, but I call Path.GetFullPath() to prevent any such ..\..\.. path references. Then look at the final path an explicitly PREVENT things like root C:, C:\Windows and some others, but also have a "CLEAN" list of paths.

So, how would I go about applying a rule that says anything going to this routine is Ok and has explicitly been checked and ok.

Answer 1

If you do it right, fortify data flow analyzer will track along your data path, see some expected functions (i.e.getCanonicalPath(), pattern.matcher(), etc) and trigger a sink rule that generating TAINFLAG=VALIDATED_PATH_MANIPULATION. Then the data flow analyzer sees this particular TAINTFLAG, it will mute the issue reporting. This process happens by design. If you implemented function FortifyFileWriteAllText(), and Fortify still complains, it may be because fortify does not like the method you are using.

If you believe that function FortifyFileWriteAllText() does prevent the PM, here is the custom sink rule to create the VALIDATED_PATH_MANIPULATION taint flag for you. Put it to ~FORTIFY_HOME/Core/config/rules directory to use.

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
    <RulePackID>YOUR RULE PACK ANME HERE</RulePackID>
    <SKU>SKU-ANY THING HERE</SKU>
    <Name><![CDATA[ANY THING HERE]]></Name>
    <Version>1.0</Version>
    <Description><![CDATA[]]></Description>
    <Rules version="6.31">
        <RuleDefinitions>
            <DataflowSinkRule formatVersion="6.31" language="java">
                <MetaInfo>
                    <Group name="MyCompany">Path Manipulation Remediation</Group>
                    <Group name="Accuracy">4</Group>
                    <Group name="Impact">3</Group>
                    <Group name="RemediationEffort">3</Group>
                    <Group name="Probability">4</Group>
                    <Group name="audience">targeted,medium,broad,dev,fod</Group>
                </MetaInfo>
                <RuleID>put-your-rule-id here-with-prefix-for-future-statistics</RuleID>
                <VulnKingdom>Input Validation and Representation</VulnKingdom>
                <VulnCategory>Path Manipulation</VulnCategory>
                <DefaultSeverity>3.0</DefaultSeverity>
                <Description ref="desc.dataflow.java.path_manipulation">
                    <Explanation append="true"><![CDATA[This issue is being reported by "your rule name here".]]></Explanation>
                </Description>
                <Sink>
                    <InArguments>this</InArguments>
                    <Conditional>
                        <Not>
                            <TaintFlagSet taintFlag="VALIDATED_PATH_MANIPULATION"/>
                        </Not>
                    </Conditional>
                </Sink>
                <FunctionIdentifier>
                    <NamespaceName>
                        <Pattern>com.yourpackage</Pattern>
                    </NamespaceName>
                    <ClassName>
                        <Pattern>yourclass</Pattern>
                    </ClassName>
                    <FunctionName>
                        <Pattern>FortifyFileWriteAllText</Pattern>
                    </FunctionName>
                    <ApplyTo implements="true" overrides="true" extends="true"/>
                </FunctionIdentifier>
            </DataflowSinkRule>
        </RuleDefinitions>
    </Rules>
</RulePack>

Answer 2

Path Manipulation is a special type of "Resource Manipulation". Its attack surface limited to the Directory and Files. To remediate PM, in addition to your input validation techniques, you need to address the resources in 3 parts due to the protection requirements are different for each part:

(1) DIRECTORY
We need to protect against ../../ etc. We should use java.io.File.getCanoncialPath() To stripe off tainted part, compare with the original dir, and use it only when they matches.

(2) FILE_SEPARATOR Use java.io.File.separator is safer than java.io.File.System.getProperty("file.separator”), because the 2nd method, a separator can be overridden by calls to System.setProperty(String key, String value) or with command line parameters -Dfile.separator=/.

(3) FILE_NAME

• Use java.io.File.getName() to extract the filename. for example "../../tmp/../../%00....xyz.txt" will become "%00....xyz.txt"
• Use whitelist to allow the good char to be used (filter out %00.... from the file name).
• Check java.util.regex package for details. Important thing is to use the correct pattern. The best/clearest RegEx lesson is by Oracle Regular Expression. The best testing site is RegEx Planet (you need to refresh page for each test, or the output may not be correct). I installed RegexpTester plugin and works well within IntelliJ 15.X IDE.
• OWASP ESAPI FileName Pattern = “^[a-zA-Z0-9.\-_ ]{0,255}$”