Dynamic Code Evaluation validation not picked by SCA


In my Java application, I have JavaScript Engine loaded at run time to evaluate a formula in JavaScript. The source of this formula is from a database table. HP Fortify reported this as Dynamic Code Evaluation: Code Injection issue.

As part to fix the issue I introduced a validation method to check if the formula expression is of given pattern using regular expression. Since the pattern of formula is same, it is viable for me to validate this against the pattern. This validation avoid executing any untrusted JavaScript code and only expected pattern of formula is allowed to be executed.

However I notice that the HP Fortify is not detecting this validation not in place and hence it should not report this as vulnerable. Can somebody let me know if one is required to write a custom datacleanse rule for HP Fortify to detect this?





Parents Reply Children
No Data