Hello folks - I have a situation where we have a code that does something like this:
Class OurProcess {
List<String> cleansedCommand;
public OurProcess(List<String> command) {
cleansedCommand = Validator.cleanseCommand(command);
}
public void executeCmd() {
ProcessBuilder pb = new ProcessBuilder(cleansedCommand);
pb.start();
.......
.......
}
}
I had spent quite sometime in reading the docs wrt to data flow cleanse rules but I was not able to get a clean report wrt CommandInjection vuln being reported for the above (renamed the class file):
"The method start() in OurProcess.java calls ProcessBuilder() to execute a command. This call might allow an attacker to inject malicious commands."
I have a custom rule for which am not seeing any result from the above snippet:
<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
<RulePackID>.....</RulePackID>
<SKU>.....</SKU>
<Name><![CDATA[...l]]></Name>
<Version>1.0</Version>
<Description><![CDATA[]]></Description>
<Rules version="22.2.1">
<DataflowCleanseRule formatVersion="22.2.1" language="java">
<RuleID>....</RuleID>
<TaintFlags>+VALIDATED_COMMAND_INJECTION</TaintFlags>
<FunctionIdentifier>
<NamespaceName>
<Pattern>....Some valid package for Validator......</Pattern>
</NamespaceName>
<ClassName>
<Pattern>Validator</Pattern>
</ClassName>
<FunctionName>
<Pattern>cleanseCommand</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>
</RuleDefinitions>
</Rules>
</RulePack>
Anyone can point out what am I doing wrong? Really appreciate any help or hint. I use audit workbench after sourceanalyzer -scan to verify the whole thing.