java - SSFR From Fortify when writing to Socket - Stack Overflow

admin管理员组

文章数量:1401623

Summary of the Issue:

I'm working on a Java application where Fortify flagged a Server-Side Request Fery (SSRF) vulnerability in a method that sends a message over a socket connection.

Code snippet:

public synchronized void sendMessage(String msg, long id) {
    try {
        msg = utils.sanitizeInput(msg);
        OutputStream osb = clientSocket.getOutputStream();
        byte[] dataBytes = msg.getBytes();
        osb.write(1);
        osb.write(224);
        osb.write(dataBytes);
        osb.flush();
    } catch (Exception e) {
        // Handle exception
    }
}

Context:

• The msg value comes from a input stream in another socket connection, is validated and transformed multiple times by other services so it meets the protocol of the recipient.
• The input is sanitized using utils.sanitizeInput(msg), but Fortify still flags the osb.write(dataBytes) line as vulnerable.

Why Fortify Marks It as a Vulnerability:

• Fortify likely detects that msg is user-controlled and could potentially be manipulated to perform a SSRF attack or other malicious activity.
• Even though sanitizeInput() is applied, Fortify may not recognize it as an effective sanitization method.

Question:

• What’s the best way to address this type of warning in a socket communication context?
• Would using a library like .owasp for input sanitization help resolve this?
• Are there any recommended patterns for securely handling user input in socket-based communication?

Any insights or suggestions would be highly appreciated!

Summary of the Issue:

I'm working on a Java application where Fortify flagged a Server-Side Request Fery (SSRF) vulnerability in a method that sends a message over a socket connection.

Code snippet:

public synchronized void sendMessage(String msg, long id) {
    try {
        msg = utils.sanitizeInput(msg);
        OutputStream osb = clientSocket.getOutputStream();
        byte[] dataBytes = msg.getBytes();
        osb.write(1);
        osb.write(224);
        osb.write(dataBytes);
        osb.flush();
    } catch (Exception e) {
        // Handle exception
    }
}

Context:

• The msg value comes from a input stream in another socket connection, is validated and transformed multiple times by other services so it meets the protocol of the recipient.
• The input is sanitized using utils.sanitizeInput(msg), but Fortify still flags the osb.write(dataBytes) line as vulnerable.

Why Fortify Marks It as a Vulnerability:

• Fortify likely detects that msg is user-controlled and could potentially be manipulated to perform a SSRF attack or other malicious activity.
• Even though sanitizeInput() is applied, Fortify may not recognize it as an effective sanitization method.

Question:

• What’s the best way to address this type of warning in a socket communication context?
• Would using a library like .owasp for input sanitization help resolve this?
• Are there any recommended patterns for securely handling user input in socket-based communication?

Any insights or suggestions would be highly appreciated!

• java
• sockets
• ssrf

Share Improve this question Follow asked Mar 25 at 2:27 GustavoPGustavoP 111 bronze badge

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

The issue was resolved by using ESAPI from .owasp like so:

import .owasp.esapi.Validator;

import .owasp.esapi.reference.DefaultValidator;

Validator validator = DefaultValidator.getInstance();
// Before converting to bytes
msg = validator.getValidInput("SocketMessage", msg, "SafeString", 100, false);

本文标签： javaSSFR From Fortify when writing to SocketStack Overflow