Issues with SAST Custom Configuration

version: 9.9 Datacenter Edition (deployed as zip)

I tried to add some SAST custom configurations based on this documentation:

I try to add sources and sinks, which is working in most cases. But I have a few cases where it is not working. Since documentation is limited, I don’t know if it is a bug or if I am doing something wrong.

to start things, here is a simplified servlet code I am testing with:

String badValue = req.getParameter("bad");

resp.getWriter().write(badValue); // detected by javasecurity:S5131
resp.getWriter().write(Optional.of(badValue).get()); // #1 not detected javasecurity:S5131

HttpSession session = req.getSession();
Object badValue2 = session.getAttribute("key2");
resp.getWriter().write(badValue2.toString()); // #2 not detected by javasecurity:S5131
resp.getWriter().write((String)badValue2); // #2 not detected by javasecurity:S5131

String badValue3 = (String)session.getAttribute("key3");
resp.getWriter().write(badValue3); // #2 not detected by javasecurity:S5131

issue #1:
Optional.of(badValue).get() is not recognized as tainted.

when I add these passthroughs it is detected. I don’t know if this is the correct way to do it, or if this is even something that you may provide out-of-the-box in a future release.

{
	"common": {
    	"passthroughs": [
			{
				"methodId": "java.util.Optional#of",
				"isMethodPrefix": true,
				"isWhitelist": true,
				"args": [ 1 ]
			},
			{
				"methodId": "java.util.Optional#get",
				"isMethodPrefix": true,
				"isWhitelist": true,
				"args": [ 0 ]
			}
		]
	}
}

issue #2:
I defined a custom source to assume HttpSession.getAttribute is a tainted source

{
	"common": {
    	"sources": [
      		{
				"methodId": "javax.servlet.http.HttpSession#getAttribute(Ljava/lang/String;)Ljava/lang/Object;"
			}
    	]
	}
}

I would have expected that this should be enough to identify the XSS. Is this a bug or am I missing something ? issue could be due to the returned object requiring a cast to String.

Hello @youngroman ,

Thank you for reporting this.

What you described is indeed the correct way to define the custom passthroughs and source, and you could have expected both issue#1 and issue#2 to be raised, and the casting would not be a problem.

Unfortunately, the method javax.servlet.http.HttpSession#getAttribute(Ljava/lang/String;)Ljava/lang/Object; is handled in a special way by our engine, and this makes it currently not possible to make it part of a custom configuration.

We plan to change this in the future, though I can’t yet give you any information about when it will be done.

Please notice that with the current engine status, if a tainted value were previously set for that given key, the issues would have been raised without the custom source.
For example:

 HttpSession session = request.getSession();
 session.setAttribute("key2", badValue);
 Object badValue2 = session.getAttribute("key2");
 resp.getWriter().write(badValue2.toString()); // detected by javasecurity:S5131
 resp.getWriter().write((String)badValue2); // detected by javasecurity:S5131

Best,
Roberto

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.