white listing solution against fortify erros does not remove the fortify errors -


when ran fority scanner reported misused authentication issue on below line

hostname=java.net.inetaddress.getlocalhost().gethostname();

i had written function validate host name against white list of host names below.

private string validatehost(string hostname)         {             string[] possiblehosts = {"host1","host2","host2","host4","host5",};             integer myhostindex = arrays.aslist(possiblehosts).indexof((hostname).tolowercase());             if(myhostindex>=0){                 hostname = possiblehosts[myhostindex];             } else {                 hostname = "";             }             return hostname;         }

which called below line

hostname=validatehost(java.net.inetaddress.getlocalhost().gethostname());

but when run fority scan next time , still shows issue on same line after have done validaiton. can done remove fortify error.

to answer you, let me explain how fortify detects issue, why it's included, it.

how fortify detects issue: it's super grep. finds anywhere you're using java.net.inetaddress.getlocalhost().gethostname() , complains. unaffected data validation.

why this? because function used security purposes, , should not be. example, imagine dev wanted trust messages own domain, might use determine message came from. security of system relies on dns, not secure. (see details tab more info.)

what do: first, make sure you're trying java.net.inetaddress.getlocalhost().gethostname() safe. basically, you're not trying secure system code. ignore finding. @ companies help, write short explanation of why code ok, put in comment field of issue summary tab, , mark analysis "not issue." @ places, suppress it. if you're getting ton of these, can create filter knock out whole category, realize might knock out real issues way.

source of information: consultant @ fortify software 2008-2010, independent application security consultant since then.


Comments

Post a Comment

Popular posts from this blog

commonjs - How to write a typescript definition file for a node module that exports a function? -

consider, toml node module can use: // toml.d.ts declare module toml { export function parse(value:string):any; } declare module "toml" { export = toml; } then: /// <reference path="../../../../../defs/toml/toml.d.ts"/> import toml = require('toml'); toml.parse(...); however, node module export single function, such 'glob' ( https://github.com/isaacs/node-glob ). the node usage of module be: var glob = require("glob") glob("*.js", {}, callback(err, files) { ... }); you'd naively expect this: // glob.d.ts declare function globs(paths:string, options:any, callback:{(err:any, files:string[]):void; ...but because typescripts 'import' semantics bit strange, seems can use 'import .. = require()' statement alias modules . trying call: /// <reference path="../../../../../defs/glob/glob.d.ts"/> import blog = require('glob'); results in: error ts2072: mod
Read more

openid - Okta: Failed to get authorization code through API call -

i'm integrating okta own idp server using okta's api. i'm implementing authorization code flow following steps below: in own server, use /api/v1/authn endpoint sessiontoken. use sessiontoken obtain authorization calling endpoint: /oauth2/v1/authorize?client_id=" + clientid + "&sessiontoken=" + sessiontoken + "&response_type=code&response_mode=query&scope=openid&redirect_uri=" + redirecturl + "&state=evanyang&nonce=" it's supposed return response status code 302 , location header containing redirect url code value. however, keep getting response status code 200 , without location header, html body saying "you using unsupported browser." , "javascript disabled on browser." according api documentation: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request , sessiontoken parameter sufficient this: an okta one-time sessiontoken. allows api-based
Read more

thorough guide for profiling racket code -

did googling ("racket profiling", "racket measure performance"), didn't find , there no examples in docs. did google "profile" search on htdp - no luck. (profile (f ...)) output isn't obvious other small snippets. ideally want python's python -m cprofile usage examples. when search "python profiling", both duckduckgo , google give top result: 26.4. python profilers . (although scanned quickly, seems more of reference "thorough usage guide" examples. if had else in mind, perhaps please link that?) the equivalent racket documentation be: profile: statistical profiler . a usage example: #lang racket (require profile) (profile-thunk (thunk (function-to-profile arg0 arg1) )) here (thunk e) convenience (lambda () e) . bigger example: #lang racket (module mod racket (provide f) (define (f) (for/list ([i 10000]) i))) (require (prefix-in mod: 'mod)) (define (f) (for ([i 10000
Read more