Absent Member.
Absent Member.
12061 views

Dynamic Code Evaluation validation not picked by SCA

Jump to solution

Hello,


In my Java application, I have JavaScript Engine loaded at run time to evaluate a formula in JavaScript. The source of this formula is from a database table. HP Fortify reported this as Dynamic Code Evaluation: Code Injection issue.


As part to fix the issue I introduced a validation method to check if the formula expression is of given pattern using regular expression. Since the pattern of formula is same, it is viable for me to validate this against the pattern. This validation avoid executing any untrusted JavaScript code and only expected pattern of formula is allowed to be executed.


However I notice that the HP Fortify is not detecting this validation not in place and hence it should not report this as vulnerable. Can somebody let me know if one is required to write a custom datacleanse rule for HP Fortify to detect this?


Thanks.


Regards,

Nitin

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Absent Member.
Absent Member.

Not sure in your specific case but most likely: yes, you should write your own rule to pick up the validation method

View solution in original post

0 Likes
2 Replies
Absent Member.
Absent Member.

Not sure in your specific case but most likely: yes, you should write your own rule to pick up the validation method

View solution in original post

0 Likes
Absent Member.
Absent Member.

Thank you Geert Sman for your reply. I wrote the dataflowcleanse rule it worked. TaintedFlag to be used for writing the dataflowclease rule in this case is +VALIDATED_DYNAMIC_CODE_EVALUATION_CODE_INJECTION.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.