Exclude vulnerabilities with sanitization functions
This article will show you how to create a policy that instructs preZero to ignore vulnerabilities that have a sanitization function in the dataflow when analyzing your application. Developers often use sanitization functions in their application's source code to sanitize user input, protecting against common attacks, such as SQL Injection attacks.
Step 1: Create a new policy file
For this tutorial, we will scaffold off the default policy:
sl policy create default <filepath>
Specify (and make a note of) the filepath you would like the policy to be saved once created.
Step 2: Edit the policy definition
Open your newly created policy file using a text editor. Add the following directives to your policy file:
IMPORT io.shiftleft/default
IMPORT io.shiftleft/defaultdict
TAG "CHECK" METHOD -f "javax.servlet.http.HttpServletRequest.setAttribute:void(java.lang.String,java.lang.Object)"
Note that setAttribute
is the actual method signature of the sanitization function.
The final line of the example shown above instructs preZero to add a check
tag to all data flows containing a function matching the method signature defined with the -f
option.
Step 3: Validate the new policy
After you write new policy definitions or edit the existing definitions, you must validate your new policy to make sure that there are no errors. To do so, run:
sl policy validate <filepath>
This command returns a non-zero exit status code if there is a problem with either your policy's syntax or semantics.
Step 4: Upload the policy to the Qwiet repository
preZero can only use a custom policy if it is located in the Qwiet repository. To upload your policy, run:
sl policy push <policyLabel> <filepath>
Be sure to replace <policyLabel>
with the desired name for your policy.
If you successfully upload your policy, Qwiet returns to the CLI your Org ID policy and tag:
<OrgId>/policyLabel>:<policyTag>
<policyTag>
is the tag Qwiet assigned to the policy by default.
You can check for this policy in the repository by using the info command, which lists all policies uploaded with the specified label that is available to you:
sl policy info <OrgId>/<policyLabel>:<policyTag>
Step 5: Assign the new policy
Assigning the policy to your application ensures that preZero uses it the next time it analyzes the app's code:
sl analyze --policy <policyLabel> --app <name>
At this point, you are ready to proceed with your next code analysis.