Cadet 3rd Class
Cadet 3rd Class
21525 views

How do we validate input so that fortify identifies it as a solution?

Jump to solution

I am trying to validate SMTP header so that fortify can identified it as a fix.

Here is an example:

if (!subject.matches("^[A-Z a-z 0-9]*$")){ throw new IllegalArgumentException(); } message.setSubject(subject)

This still gets flagged by Fortify. What do I need to do to ensure proper validation?

Thanks

0 Likes
1 Solution

Accepted Solutions
Commodore
Commodore

Hi ​,

The best way to do that is create a validation function that returns an String.

For example:

public string validateHeaders(String header){

   if (!header.matches("^[A-Z a-z 0-9]*$")){ throw new IllegalArgumentException(); }

   return header;

}

Then use it to validate the param you need

message.setSubject(validateHeaders(subject));

And create a custom rule (Cleanse Rule) that trust in the reasult value of "validateHeaders" function. include this rule in the next scan and the issue willl not appear again.

Cheers.

View solution in original post

Tags (1)
3 Replies
Commodore
Commodore

Hi ​,

The best way to do that is create a validation function that returns an String.

For example:

public string validateHeaders(String header){

   if (!header.matches("^[A-Z a-z 0-9]*$")){ throw new IllegalArgumentException(); }

   return header;

}

Then use it to validate the param you need

message.setSubject(validateHeaders(subject));

And create a custom rule (Cleanse Rule) that trust in the reasult value of "validateHeaders" function. include this rule in the next scan and the issue willl not appear again.

Cheers.

View solution in original post

Tags (1)
Cadet 3rd Class
Cadet 3rd Class

Jaime,

I tried exactly the same method and it still does not work. I also tried to use ESAPI validator and checking presence of characters '\n' and '\r'. 

Do You have any idea what other solution could help?

Thank You in advance

0 Likes

Also creating custom rule to trust any function/method is not that much straight forward. Does anyone has any experience creating custom rules or any document on this??

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.