如何消除VeraCode检测中的CRLF Injection Issue(CWE ID 117)

Veracode是一个检测应用程序是否存在安全漏洞的工具,更多细节请访问http://www.veracode.com

这里主要总结一下如何消除Veracode检测结果中的CRLF(Carriage Return, Line Feed) Injection Issue(CWE ID 117)。

首先,先看看VeraCode对CRLF Injection Issue的定义:
The acronym CRLF stands for "Carriage Return, Line Feed" and refers to the sequence of characters used to denote the end of a line of text.  CRLF injection vulnerabilities occur when data enters an application from an untrusted source and is not properly validated before being used.  For example, if an attacker is able to inject a CRLF into a log file, he could append falsified log entries, thereby misleading administrators or cover traces of the attack.  If an attacker is able to inject CRLFs into an HTTP response header, he can use this ability to carry out other attacks such as cache poisoning.  CRLF vulnerabilities primarily affect data integrity.

再看卡VeraCode对如何解决这个问题的建议:
Apply robust input filtering for all user-supplied data, using centralized data validation routines when possible.  Use output filters to sanitize all output derived from user-supplied input, replacing non-alphanumeric characters with their HTML entity equivalents.

举例:
log.debug("xxxxxxxxxxxxxx");
//这里的xxxxx部分内容可能是从环境变量或者外部获取的,所以Veracode认为存在CRLF的安全隐患。

通过对现有系统的实践证明,对于这类CRLF Injection Issue,消除时主要遵循以下原则:

1)使用Character.isISOControl去除变量中的ctrl类控制符
2) 验证后返回新的字符串变量

  
public static final String removeControlCharacter(String input)
    {
        
if (input == null)
        {
            
return "";
        }
        StringBuilder sb 
= new StringBuilder();
        
for (int i=0; i<input.codePointCount(0, input.length()); i++)
        {
            
int codePoint = input.codePointAt(i);
            
if(!Character.isISOControl(codePoint))
            {
                sb.appendCodePoint(codePoint);
            }
        }
        
return sb.toString();
    }
    
修改后如下所示:
log.debug(FileUtil.removeControlCharacter("xxxxxxxxxxxxxx"));

posted on 2011-09-06 10:49 想飞就飞 阅读(1637) 评论(0)  编辑  收藏


只有注册用户登录后才能发表评论。


网站导航:
 

公告


导航

<2011年9月>
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678

统计

常用链接

留言簿(13)

我参与的团队

随笔分类(69)

随笔档案(68)

最新随笔

搜索

积分与排名

最新评论

阅读排行榜

评论排行榜