亚洲国产美女精品久久久久∴,亚洲日产乱码一二三区别,亚洲熟女少妇一区二区

如何消除VeraCode檢測中的OS Command Injection Issue(CWE ID 78)

Veracode是一個(gè)檢測應(yīng)用程序是否存在安全漏洞的工具，更多細(xì)節(jié)請(qǐng)?jiān)L問http://www.veracode.com

這里主要總結(jié)一下如何消除Veracode檢測結(jié)果中的OS Command Injection issue(CWE ID 78)。

首先，先看看VeraCode對(duì)OS Command Injection的定義：
OS command injection vulnerabilities occur when data enters an application from an untrusted source and is used to
dynamically construct and execute a system command. This allows an attacker to either alter the command executed by the application or append additional commands. The command is typically executed with the privileges of the executing process and gives an attacker a privilege or capability that he would not otherwise have.

再看卡VeraCode對(duì)如何解決這個(gè)問題的建議：
Careful handling of all untrusted data is critical in preventing OS command injection attacks. Using one or more of the following techniques provides defense-in-depth and minimizes the likelihood of an vulnerability.
* If possible, use library calls rather than external processes to recreate the desired functionality.
* Validate user-supplied input using positive filters (white lists) to ensure that it conforms to the expected format, using centralized data validation routines when possible.
* Select safe API routines. Some APIs that execute system commands take an array of strings as input rather than a
single string, which protects against some forms of command injection by ensuring that a user-supplied argument
cannot be interpreted as part of the command.

通過對(duì)現(xiàn)有系統(tǒng)的實(shí)踐證明，對(duì)于這類OS Command Injection Issue，消除時(shí)主要遵循以下幾個(gè)原則：

1)重構(gòu)代碼，保證只有1個(gè)函數(shù)最終執(zhí)行Runtime.exec(xxxx,xxx)

    public static Process execAndReturnProcess(String cmd[]) throws Exception
    {
        return execAndReturnProcess(cmd, null);
    }

    public static Process execAndReturnProcess(String cmds[], String envps[]) throws Exception
    {
        String[] validatedCmdArray = ASEUtils.validateCommandArray(cmds);
        String[] validatedEnvArray = ASEUtils.validateEnvArray(envps);

        if (null == validatedCmdArray)
        {
            throw new Exception("No permission to execute the command:" + cmds[0]);
        }

        Runtime runtime = Runtime.getRuntime();
        Process process = runtime.exec(validatedCmdArray, validatedEnvArray);
        return process;
    }

2)用Runtime.exec調(diào)用操作系統(tǒng)命令時(shí)，優(yōu)先使用數(shù)組作為參數(shù)

Process exec(String[] cmdarray, String[] envp, File dir)

而不是字符串作為參數(shù)

Process exec(String cmd, String[] envp, File dir)

3)Veracode會(huì)檢測傳入exec()的變量是否存在隱患(比如文件中讀取出來的，或者注冊(cè)表里讀取出來的)，這種情況就需要對(duì)原有變量做驗(yàn)證，然后重新定義變量，傳入Runtime.exec中，如下面代碼所示：

public static Process execAndReturnProcess(String cmds[], String envps[]) throws Exception
    {
        String[] validatedCmdArray = validateCommandArray(cmds);
        String[] validatedEnvArray = validateEnvArray(envps);

        if (null == validatedCmdArray)
        {
            throw new Exception("No permission to execute the command:" + cmds[0]);
        }

        Runtime runtime = Runtime.getRuntime();
        Process process = runtime.exec(validatedCmdArray, validatedEnvArray);
        return process;
    }

    public static String[] validateCommandArray(String[] cmdArray)
    {
        String[] validatedCmdArray = new String[cmdArray.length];

        for (int i=0; i<cmdArray.length; i++)
        {
            if ( null != cmdArray[i] && cmdArray[i].trim().length()>0)
            {
                validatedCmdArray[i] = removeControlCharacter(cmdArray[i]);
            }
        }
        return validatedCmdArray;
    }

4)另外，還可以定義一個(gè)全局的可執(zhí)行命令的列表(White List)，對(duì)每次要執(zhí)行的命令，都驗(yàn)證它是否在允許的可執(zhí)行命令列表里。

public static final String [] ALLOWED_COMMAND_ROUTINES =
    {
        "cmd",
        "command",
        "sh",
        "env",
    };

    private static boolean isValidateCommandRoutine(String command)
    {
        Boolean isValidRoutine = false;
        for (int i=0; i<ALLOWED_COMMAND_ROUTINES.length ;i++)
        {
            if (command.equals(ALLOWED_COMMAND_ROUTINES[i]) != -1)
            {
                isValidRoutine = true;
            }
        }
        return isValidRoutine;
    }

    public static String[] validateCommandArray(String cmds[])
    {
        Boolean isValidRoutine = isValidateCommandRoutine(cmds[0]);
        if (isValidRoutine)
        {
            String[] validatedCmdArray = new String[cmds.length];
            for (int i=0; i<cmds.length; i++)
            {
                if ( null != cmds[i] && cmds[i].trim().length()>0)
                {
                    validatedCmdArray[i] = removeControlCharacter(cmds[i]);
                }
            }
            return validatedCmdArray;
        }
        return null;
    }

當(dāng)然，如果第三方檢測程序始終認(rèn)為最后的調(diào)用 Runtime.exec(xxx,xx)存在隱患，則可以采用它們提供的注釋或者標(biāo)記等其他方法消除最終的調(diào)用入口。

實(shí)際上，我們?cè)谧龅谌桨踩珯z測時(shí)，使用上面提到的4點(diǎn)，Veracode 已經(jīng)可以通過檢測了，但是Fortify不行，所以最后只能在Fortify的系統(tǒng)里標(biāo)記"Not an issue"，忽略這個(gè)最終的Runtime.exec調(diào)用。

posted on 2011-09-06 10:28 想飛就飛閱讀(3682) 評(píng)論(0) 編輯收藏所屬分類: J2EE 、開發(fā)工具＆環(huán)境

新用戶注冊(cè) 刷新評(píng)論列表


只有注冊(cè)用戶登錄后才能發(fā)表評(píng)論。




網(wǎng)站導(dǎo)航: 博客園 IT新聞 Chat2DB C++博客博問管理
相關(guān)文章: 從零開始學(xué)習(xí)Gradle之二---如何使用Task 從零開始學(xué)習(xí)Gradle之一---初識(shí)Gradle Gradle, 基于DSL的新一代Java構(gòu)建工具如何消除VeraCode檢測中的OS Command Injection Issue(CWE ID 78) 如何消除VeraCode檢測中的SQL Injection Issue(CWE ID 89) 使用Grails構(gòu)建REST API 修正Grails in Action中上傳文件的方法 Grails中如何使用acegi requestmap 進(jìn)行動(dòng)態(tài)配置權(quán)限 MYSQL 字符集問題 Wicket tips

快樂的想飛就飛

如何消除VeraCode檢測中的OS Command Injection Issue(CWE ID 78)

公告

導(dǎo)航

統(tǒng)計(jì)

常用鏈接

留言簿(13)

我參與的團(tuán)隊(duì)

隨筆分類(69)

隨筆檔案(68)

最新隨筆

搜索

積分與排名

最新評(píng)論

閱讀排行榜

評(píng)論排行榜

快樂的 想飛 就飛

如何消除VeraCode檢測中的OS Command Injection Issue(CWE ID 78)

公告

導(dǎo)航

統(tǒng)計(jì)

常用鏈接

留言簿(13)

我參與的團(tuán)隊(duì)

隨筆分類(69)

隨筆檔案(68)

最新隨筆

搜索

積分與排名

最新評(píng)論

閱讀排行榜

評(píng)論排行榜

快樂的想飛就飛