I am running code through Hp Fortify and have some path manipulation findings. I understand the context of it and trying to resolve.
Instead of going through all the places where SOME path values are queried from a database to store output files (logs, export data, whatever), I tried to centralize it. So, instead of having File.WriteAllText() with some path + file name, content, I wanted to wrap into
FortifyFileWriteAllText(). Then, in this function I do path validation check once up front, and if valid, only then allow the write to continue such as...
public static bool FortifyFileWriteAllText( string fileToWrite, string content)
{
if( ! MyPathValidationRoutine( fileToWrite ))
return false;
File.WriteAllText( fileToWrite, content );
return true;
}
So, I know this is very abbreviated of actual validation and preventing bad writes, but I call Path.GetFullPath() to prevent any such ..\..\.. path references. Then look at the final path an explicitly PREVENT things like root C:, C:\Windows and some others, but also have a "CLEAN" list of paths.
So, how would I go about applying a rule that says anything going to this routine is Ok and has explicitly been checked and ok.
If you do it right, fortify data flow analyzer will track along your data path, see some expected functions (i.e.getCanonicalPath(), pattern.matcher(), etc) and trigger a sink rule that generating TAINFLAG=VALIDATED_PATH_MANIPULATION. Then the data flow analyzer sees this particular TAINTFLAG, it will mute the issue reporting. This process happens by design. If you implemented function FortifyFileWriteAllText(), and Fortify still complains, it may be because fortify does not like the method you are using.
If you believe that function FortifyFileWriteAllText() does prevent the PM, here is the custom sink rule to create the VALIDATED_PATH_MANIPULATION taint flag for you. Put it to ~FORTIFY_HOME/Core/config/rules directory to use.
<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
<RulePackID>YOUR RULE PACK ANME HERE</RulePackID>
<SKU>SKU-ANY THING HERE</SKU>
<Name><![CDATA[ANY THING HERE]]></Name>
<Version>1.0</Version>
<Description><![CDATA[]]></Description>
<Rules version="6.31">
<RuleDefinitions>
<DataflowSinkRule formatVersion="6.31" language="java">
<MetaInfo>
<Group name="MyCompany">Path Manipulation Remediation</Group>
<Group name="Accuracy">4</Group>
<Group name="Impact">3</Group>
<Group name="RemediationEffort">3</Group>
<Group name="Probability">4</Group>
<Group name="audience">targeted,medium,broad,dev,fod</Group>
</MetaInfo>
<RuleID>put-your-rule-id here-with-prefix-for-future-statistics</RuleID>
<VulnKingdom>Input Validation and Representation</VulnKingdom>
<VulnCategory>Path Manipulation</VulnCategory>
<DefaultSeverity>3.0</DefaultSeverity>
<Description ref="desc.dataflow.java.path_manipulation">
<Explanation append="true"><![CDATA[This issue is being reported by "your rule name here".]]></Explanation>
</Description>
<Sink>
<InArguments>this</InArguments>
<Conditional>
<Not>
<TaintFlagSet taintFlag="VALIDATED_PATH_MANIPULATION"/>
</Not>
</Conditional>
</Sink>
<FunctionIdentifier>
<NamespaceName>
<Pattern>com.yourpackage</Pattern>
</NamespaceName>
<ClassName>
<Pattern>yourclass</Pattern>
</ClassName>
<FunctionName>
<Pattern>FortifyFileWriteAllText</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
</DataflowSinkRule>
</RuleDefinitions>
</Rules>
</RulePack>