I have two questions regarding Fortify.
1 - Lets say I have a windows forms app, which asks for a username
and password, and the name of the textbox for password is
texboxPassword. So in the designer file, you have the following,
generated by the designer.
//
// texboxPassword
//
this.texboxPassword.Location = new System.Drawing.Point(16, 163);
this.texboxPassword.Name = "texboxPassword";
this.texboxPassword.Size = new System.Drawing.Size(200, 73);
this.texboxPassword.TabIndex = 3;
Fortify marks this as a password in comment issue. How can I suppress this by creating a custom rule? I don't want to suppress the whole issue because I still would like to catch certain patterns (such as password followed by = or : in comments) but the blanket search where any line that contains password is flagged is creating so many false positives. I looked into creating a structural rule but could not figure out how to remove the associated tag (where can I find the tag for password in comment anyways?)
2 - Let's say I have a custom UI control. This control html encodes everything and in my context, it is good enough to avoid XSS. Needless to say, it is being flagged by Fortify. How can I suppress XSS when I have a certain control type in my UI and all of its methods are safe for XSS (they sanitize) in my context? I have tried a DataflowCleanseRule (with a label just to test the concept) and wanted to mark get_Text() and set_Text() as sanitizer functions, but it did not make a difference and Fortify still flagged it for XSS.
<DataflowCleanseRule formatVersion="3.16" language="dotnet">
<RuleID>0D495522-BA81-440E-B191-48A67D9092BE</RuleID>
<TaintFlags>+VALIDATED_CROSS_SITE_SCRIPTING_REFLECTED,+VALIDATED_CROSS_SITE_SCRIPTING_PERSISTENT,+VALIDATED_CROSS_SITE_SCRIPTING_DOM,+VALIDATED_CROSS_SITE_SCRIPTING_POOR_VALIDATION</TaintFlags>
<FunctionIdentifier>
<NamespaceName>
<Pattern>System.Web.UI.WebControls</Pattern>
</NamespaceName>
<ClassName>
<Pattern>Label</Pattern>
</ClassName>
<FunctionName>
<Pattern>_Text</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>
Thank you in advance for your help
This is parsed using regular expressions. Unless you think you are able to create a regular expression that can parse human language properly, I would leave it alone and just audit it as not an issue.
The Pattern tag uses a java regular expression in the body, so should be used as user2867433 suggested. However, you stated
This control html encodes everything and in my context, it is good enough to avoid XSS
If you are going to use a custom rule, this has to assume that it will work in EVERY context, as say in the future somebody writes a piece of code that uses get_Text and then places this directly into a piece of JavaScript, html encoding will do NOTHING to stop the XSS problem here. I would advise again to audit this as not an issue or a false positive due to the validation used and explain why it's good enough in that context
Within "Pattern" you can use Java-Regex. So it should work if you use [gs]et_Text
Related
when i ran fority scanner it reported often misused authentication issue on the below line
hostName=java.net.InetAddress.getLocalHost().getHostName();
I had written a function which will validate this host name against the white list of host names as below.
private String validateHost(String hostName)
{
String[] PossibleHosts = {"host1","host2","host2","host4","host5",};
Integer myhostIndex = Arrays.asList(PossibleHosts).indexOf((hostName).toLowerCase());
if(myhostIndex>=0){
hostName = PossibleHosts[myhostIndex];
} else {
hostName = "";
}
return hostName;
}
which will be called by below line
hostName=validateHost(java.net.InetAddress.getLocalHost().getHostName());
But when i run the fority scan for the next time , it still shows issue on the same line even after i have done the validaiton. what can be done to remove the fortify error.
To answer you, let me explain how Fortify detects this issue, why it's included, then what to do about it.
How Fortify detects this issue: It's basically a super grep. It just finds anywhere you're using java.net.InetAddress.getLocalHost().getHostName() and complains. It is unaffected by data validation.
Why do this? Because this function is sometimes used for security purposes, and it should not be. For example, imagine a dev wanted to trust all messages from their own domain, they might use this to determine where a message came from. But then the security of their system relies on DNS, which is not secure. (See the Details tab for more info.)
What to do: First, make sure that what you're trying to do with java.net.InetAddress.getLocalHost().getHostName() is safe. Basically, that you're not trying to secure your system with this code. Then ignore the finding. At most companies I help, you would write a short explanation of why this code is OK, put it in the comment field of the Issue Summary tab, and mark the Analysis as "Not an Issue." At some places, you could also suppress it. If you're getting a ton of these, you can create a Filter that will knock out the whole category, but realize that you might also knock out some real issues that way.
Source of information: Consultant at Fortify Software 2008-2010, independent application security consultant since then.
I'm attempting to create a form step where one of the form step items is an email input. For this I want to validate the email against certain domains i.e.
#gmail.com, #icloud.com, #me.com
I can see we have an email answer format in the form of this:
ORKEmailAnswerFormat()
However I can't see anywhere in this type that allows me to apply a validation regex. Looking into this I see we have the following
ORKAnswerFormat.textAnswerFormatWithValidationRegex(validationRegex, invalidMessage)
I suppose this is my best option? If so, would anyone know of a regex (my regex isn't the greatest!) in swift that would handle the 3 domains stated above?
I have something like this...(not the greatest i know!)
[A-Z0-9a-z._%+-]+#gmail.com
[A-Z0-9a-z._%+-]+#(?:icloud|me|gmail)\.com
(or, if you don't care about capturing:)
[A-Z0-9a-z._%+-]+#(icloud|me|gmail)\.com
Now I made two modifications. I escaped the . and I made it so that the other two domains are options.
I suggest that you convert the whole thing to lower case. I don't know Swift, but you may be able to use one of its functions or the i modifier:
(?i)[0-9a-z._%+-]+#(icloud|me|gmail)\.com
I'm trying to set the Visitor ID in Adobe Analytics through DTM.
Above the s_code I have:
var visitor = new Visitor("xxxx")
visitor.trackingServer = "xxx.xx.xx.omtrdc.net"
I've created a data element where the legacy code used to call the
Visitor.getInstance("xxxx");
and set the Visitor ID to %Visitor ID%
That's not working however, and my visitor ID is always just set to %Visitor ID% and obviously not reading any values. I'd really appreciate any input that someone can give me.
Thanks,
Mike
The Visitor ID pops s.visitorID and is in general related to visitor id, but is not the same as s.visitor which is what gets popped for the VisitorAPI integration. DTM does not currently have a built-in field for the s.visitor variable, so you will have to set it yourself within the config, either in the Library Management code editor (assuming you are opting to c/p the core lib and not the "Managed by Adobe" option) or else in the Custom Page Code section.
Since you are popping it in a data layer first, you can reference the data layer like this:
s.visitor = _satellite.getVar('Visitor ID');
NOTE: A separate potential issue you may have is with whether or not the Visitor object is available for your data element. Since data elements are the first thing to be evaluated by DTM, you will need to ensure that the VisitorAPI.js library is output before your top page DTM script include.
If this is a problem for you, or if you are wanting to host VisitorAPI.js within DTM, then you may need to adjust where you are popping that stuff. For example, place the VisitorAPI core code above the custom code as the first stuff within the data element, before:
var visitor = new Visitor("xxxx") visitor.trackingServer = "xxx.xx.xx.omtrdc.net
Or, don't use the data element at all. Instead, put the VisitorAPI code within the Adobe Analytics custom code or core lib section and pop all that stuff (aboove the s.visitor assignment). Or a number of other methods; point is, VisitorAPI stuff must be loaded before the data element can make use of it, same as it must be loaded before Adobe Analytics can make use of it.
So DTM is changing pretty fast and furious right now. They have a "Marketing Cloud Service ID" that works well. Before I used that, however, I did find a way to fix the code. Crayon Violent was right, as usual, that the problem was that the script wasn't available yet. I fixed this by putting the following code in between the VisitorAPI.js and the AppMeasurement stuff in the DTM managed library.
var aA = new AppMeasurement();
aA.visitorNamespace="companyname";
aA.visitor = Visitor.getInstance("companyname");
In addition, there were also some issues using my localhost for testing while trying to see if I had this correct or not. If you are having issues and think you have it correct, it may be worthwhile to elevate it to a different environment.
Tagsoup is interfering with input and formatting it incorrectly. For instance when we have the following markup
Text outside anchor
It is formatted as follows
Text outside anchor
This is a simple example but we have other issues as well. So we made tagsoup cleanup/formatting optional by adding an extra attribute to textarea control.
Here is the diff(https://github.com/binnyg/orbeon-forms/commit/044c29e32ce36e5b391abfc782ee44f0354bddd3).
Textarea would now look like this
<textarea skip-cleanmarkup="true" mediatype="text/html" />
Two questions
Is this the right approach?
If I provide a patch can it make it to orbeon codebase?
Thanks
BinnyG
Erik, Alex, et al
I think there are two questions here:
The first Concern is a question of Tag Soup and the clean up that happens OOTB: Empty tags are converted to singleton tags which when consumed/sent to the client browser as markup gets "fixed" by browsers like firefox but because of the loss of precision they do the wrong thing.
Turning off this clean up helps in this case but for this issue alone is not really the right answer because we it takes away a security feature and a well-formed markup feature... so there may need to be some adjustment to the handling of at least certain empty tags (other than turning them in to invalid singleton tags.)
All this brings us to the second concern which is do we always want those features in play? Our use-case says no. We want the user to be able to spit out whatever markup they want, invalid or not. We're not putting the form in an app that needs to protect the user from cross script coding, we're building a tool that lets users edit web pages -- hence we have turned off the clean-up.
But turning off cleanup wholesale? Well it's important that we can do it if that's what our usecase calls for but the implementation we have is all or nothing. It would be nice to be able to define strategies for cleanup. Make that function plug-able. For example:
* In the XML Config of the system define a "map" of config names to class names which implement the a given strategy. In the XForm Def the author would specify the name from the map.
If TagSoup transforms:
Text outside anchor
Into:
Text outside anchor
Wouldn't that be bug in TagSoup? If that was the case, then I'd say that it is better to fix this issue rather than disable TagSoup. But, it isn't a bug in TagSoup; here is what seems to be happening. Say the browsers sends the following to the client:
<a shape="rect"></a>After<br clear="none">
This goes through TagSoup, the result goes through the XSLT clean-up code, and the following is sent to the browser:
<a shape="rect"/>After<br clear="none"/>
The issue is on the browser, which transforms this into:
<a shape="rect">After</a><br clear="none"/>
The problem is that we serialize this as XML with Dom4jUtils.domToString(cleanedDocument), while it would be more prudent to serialize it as HTML. Here we could use the Saxon serializer. It is also used from HTMLSerializer. Maybe you can try changing this code to use it instead of using Dom4jUtils.domToString(). You'll let us know what you find when a get a chance to do that.
Binesh and I agree, if there is a bug it would be a good idea to address the issue closer to the root. But I think the specific issue he is only part of the matter.
We're thinking it would be best to have some kind of name-to-strategy mapping so that RTEs can call in the server-side processing that is right for them or the default if it's not specified.
i need to localize a Reporting Services-report (.rdlc) and i would like to do it using a ressource-file (.resx).
I found pages like this and that and they use custom code to achieve their target.
But pages like Setting the Report Language Parameter in a URL give me the impression that localization in reports is possible without custom code.
So, it is possible to localize a Reporting Services-report without custom code ?
If so, is there a tutorial that explains how it's done?
What in the report do you want to localize?
values from the database? Those should be retrieved from the database in the appropriate language already
fixed labels and textboxes on the report? I have not yet seen any compelling way to doing this - you can either have
one report "skeleton" / template per language (and pick the one you need)
if the number of elements is manageable, define report parameters which you can set from the calling code, to set the labels and texts
use some custom .NET extension for handling localization
It's not really an awfully pretty picture, indeed - I'd be most interested in better solutions myself! (I typically need to support 3-4 languages for any report - and I'm using only server-based .RDL files, no .RDLC, so any localization that depends on client-side resource files is not usable in my case)
I would add one method when it comes to labels and textboxes:
Create a placeholder element within the textbox and use Expression field to
use a Switch clause , switching on the Language parameter.
It's not superpretty, but also works pretty well for 3-4 languages
I am passing parameters to the report for labels etc, and after adding the parameters to the report (using the menu option Report -> Parameters in VS2008) you can then use the values of these parameters to localise the labels. This is workiiing well enough, although it would be nicer to be abkle to refer to resource keys immediately from your form labels etc.