Command Injection vulnerabilty in Java

Hello,

Does any one have a working solution to Command Injection flaw in Java reported by HP Fortify. I have this vulnerability reported by HP Fortify in my application and I have attempted to fix it by doing following:

1. Create absolute path to the command in the code instead of invoking the command from "PATH" environment variable.

2. Validate the user inputs coming from HTTPRequest before passing it as argument to the command.

However even after doing so HP Fortify continues to report this with same Severity Level1 vulnerability.

Below is the sample code snippet where this issue is reported. (Note this snippet does not show any of the above points I have attempted to resolve the vulnerability)

<snip>

        private void getMemoryDetails(HttpServletRequest req) {                          

            String liveOption = req.getParameter("live") == null ? "true" : req.getParameter("live");

            String options = Boolean.valueOf(liveOption) ? "-histo:live" : "-histo";

            String jbossProcessId = req.getParameter("pid");

            ProcessBuilder pb = new ProcessBuilder("jmap", options, jbossProcessId);

            Process jmapProcess = pb.start();

        }

</snip>

Any help and pointers is appreciated.

Regards,

Nitin

  • Hi Nitin,

    In general, whenever SCA finds a path from some non-trusted input ('source' in Fortify terminology) to a potentially harmful operation ('sink') it will report this as a vulnerability. For example, in your sample code the non-trusted 'pid' request parameter is used to execute a command.

    Even if you pass the jbossProcessId variable through some validation function, SCA may still report the vulnerability because it doesn't recognize that this function validates the variable. You can create a Fortify custom rule that tells SCA that this specific function is actually a validation function.

  • Hello Ruud,

    Thank you for your reply.

    Can you please point me to documentation for writing Fortify custom rule for SCA?

    I would mention that when I added a method to validate jbossProcessId to be an Integer, HP Fortify SCA lower the Severity from Level 1 to Level 2 now in my latest report, however it has not completely mark the vulnerabilty as eliminated. So at the moment I am not sure if SCA is completely turning a blind to the validation I have put in place.

    Regards,

    Nitin

  • Hi Nitin,

    Custom rules documentation is available with the SCA installation media/ISO file: Documentation\HP_Fortify_SCA_Custom_Rules_Guide_<version>.zip

    In your case, probably the easiest way to generate a rule for your validation function is as follows:

    • Open your scan results in Audit WorkBench
    • Find your validation function in the Functions view on the right hand side
    • Right-click this function, then select 'Generate Rule for Function'
    • Expand DataflowCleanseRule and select 'Command Injection Validation Rule'
    • Follow the wizard to generate your custom rule
    • Run a new scan with the custom rule enabled (sourceanalyzer -rules option, or by copying the custom rules file to <SCA install dir>\Core\config\customrules folder before running the new scan).

    Kind regards,

    Ruud

  • Support is also trying to maintain copies of the documents here on Protect724.

    See 

    The Custom Rules doc appears to be missing from the most recent 4.20 and 4.21 areas, but here are the copies from

    • 4.10: 
    • 4.00: 
  • Hello Ruud,

    Thank you for quick response. I will go through the document you pointed out.

    I have one question regarding the Command Injection vulnerability reported by HP Fortify. HP Fortify is reporting a Level 2 severity for below code.

    ProcessBuilder pb = new ProcessBuilder("jps");

    Obviously there isn't any unvalidated user input (from untrusted source) going into this command. Then why is HP Fortify reporting this as Level 2 severity of CI vulnerability. This is quite strange.

    Regards,

    Nitin

  • Hello Ruud,

    Thank you for quick response. I will go through the document you pointed out.

    I have one question regarding the Command Injection vulnerability reported by HP Fortify. HP Fortify is reporting a Level 2 severity for below code.

    ProcessBuilder pb = new ProcessBuilder("jps");

    Obviously there isn't any unvalidated user input (from untrusted source) going into this command. Then why is HP Fortify reporting this as Level 2 severity of CI vulnerability. This is quite strange.

    Regards,

    Nitin

  • Hello Hans,

    Thank you for point out the documentation.

    Regards,

    Nitin