0

I am new to the Stack Overflow forum. I have a question in remediating the fortify scan issues.

HP Fortify scan reporting the Resource Injection issue for following code.

String testUrl = "http://google.com";
URL url = null;

try {
   url = new URL(testUrl);
} catch (MalformedURLException mue) {
   log.error("MalformedUrlException URL " + testUrl + " Exception : " + mue);
}

In the above code fortify showing Resource injection in line => url = new URL(testUrl);

I have done following code changes for URL validation using ESAPI to remediate this issue,

String testUrl = "http://google.com";
URL url = null;

try {
   String canonURL = ESAPI.encoder().canonicalize(strurl, false, false);
   if(ESAPI.validator().isValidInput("URLContext", canonURL, "URL", canonURL.length(), false)) {
       url = new URL(canonURL);
   } else {
       log.error("In Valid script URL passed"+ canonURL);
   }
} catch (MalformedURLException mue) {
   log.error("MalformedUrlException URL " + canonURL + " Exception : " + mue);
}

However, still Fortify scan reporting as en error. It is not remeditaing this issue. Anything am doing wrong?

Any solution will help lot.

Thanks,

Marimuthu.M

quintin
  • 671
  • 8
  • 30
mari muthu
  • 1
  • 1
  • 3

3 Answers3

2

I think that the real issue here is not that the URL may be somehow malformed, but, that the URL may not reference a valid site. More specifically, if I, the bad guy, am able to cause your URL to point to my web site, then you obtain data from my location that is not tested and I can return data that may be used to compromise your system. I might use that to say return a record for "bob the bad guy" that makes bob look like a good guy.

I suspect that in your code you do not set a hard coded value in a string, since this is usually described with words such as

When an application permits a user input to define a resource, like a file name or port number, this data can be manipulated to execute or access different resources.

(see https://www.owasp.org/index.php/Resource_Injection)

I think that the proper response will be some combination of:

  1. Do not get the result from the user, but, use the input to choose from your own internal list.

  2. Argue that the value came from a trusted source. For example, read from a strictly controlled database or configuration file.

You do not need to remove the warnings, you need to demonstrate that you understand the risk and indicate why it is OK to use the value in your case.

Andrew
  • 586
  • 5
  • 14
0
boolean isValidInput(java.lang.String context,
                 java.lang.String input,
                 java.lang.String type,
                 int maxLength,
                 boolean allowNull)
                 throws IntrusionException

type filed in isValidInput function defines a Regular expression or pattern to match with your testUrl.

Like:

try {
    ESAPI.validator().getValidInput("URI_VALIDATION", requestUri, "URL", 80, false);        
} catch (ValidationException e) {
    System.out.println("Validation exception");
    e.printStackTrace();
} catch (IntrusionException e) {
    System.out.println("Inrusion exception");
    e.printStackTrace();
}

It will pass if requestUri matches pattern defined in validation.properties under Validator.URL and its length is less than 80.

Validator.URL=^(ht|f)tp(s?)\:\/\/0-9a-zA-Z(:(0-9))(\/?)([a-zA-Z0-9\-\.\?\,\:\'\/\\\+=&%\$#_])?$

quintin
  • 671
  • 8
  • 30
0

This is piggybacking on Andrew's answer, but the problem Fortify is warning you of is user control of a URL. If your application later decides to make connections to that website, and it is untrusted, this is an issue.

If this is an application where you care more about sharing public URIs, than you'll have to accept the risk, and make sure users are properly trained on the inherent risk, as well as make sure if you redisplay those URLs, that someone doesn't try to embed malicious data.

avgvstvs
  • 5,556
  • 6
  • 38
  • 69