Veracode是一個(gè)檢測(cè)應(yīng)用程序是否存在安全漏洞的工具,更多細(xì)節(jié)請(qǐng)?jiān)L問http://www.veracode.com
這里主要總結(jié)一下如何消除Veracode檢測(cè)結(jié)果中的CRLF(Carriage Return, Line Feed) Injection Issue(CWE ID 117)。
首先,先看看VeraCode對(duì)CRLF Injection Issue的定義:
The acronym CRLF stands for "Carriage Return, Line Feed" and refers to the sequence of characters used to denote the end of a line of text. CRLF injection vulnerabilities occur when data enters an application from an untrusted source and is not properly validated before being used. For example, if an attacker is able to inject a CRLF into a log file, he could append falsified log entries, thereby misleading administrators or cover traces of the attack. If an attacker is able to inject CRLFs into an HTTP response header, he can use this ability to carry out other attacks such as cache poisoning. CRLF vulnerabilities primarily affect data integrity.
再看卡VeraCode對(duì)如何解決這個(gè)問題的建議:
Apply robust input filtering for all user-supplied data, using centralized data validation routines when possible. Use output filters to sanitize all output derived from user-supplied input, replacing non-alphanumeric characters with their HTML entity equivalents.
舉例:
log.debug("xxxxxxxxxxxxxx");
//這里的xxxxx部分內(nèi)容可能是從環(huán)境變量或者外部獲取的,所以Veracode認(rèn)為存在CRLF的安全隱患。
通過對(duì)現(xiàn)有系統(tǒng)的實(shí)踐證明,對(duì)于這類CRLF Injection Issue,消除時(shí)主要遵循以下原則:
1)使用Character.isISOControl去除變量中的ctrl類控制符
2) 驗(yàn)證后返回新的字符串變量
public static final String removeControlCharacter(String input)
{
if (input == null)
{
return "";
}
StringBuilder sb = new StringBuilder();
for (int i=0; i<input.codePointCount(0, input.length()); i++)
{
int codePoint = input.codePointAt(i);
if(!Character.isISOControl(codePoint))
{
sb.appendCodePoint(codePoint);
}
}
return sb.toString();
}
修改后如下所示:
log.debug(FileUtil.removeControlCharacter("xxxxxxxxxxxxxx"));