View Help Online

Start here

Home
About Klocwork
What's new
Fixed issues
Release notes
Installation

Reference

C/C++ checkers
Java checkers
C# checkers
MISRA C 2004 checkers
MISRA C++ 2008 checkers
MISRA C 2012 checkers
MISRA C 2012 checkers with Amendment 1
Commands
Metrics
Troubleshooting
Reference

Product components

C/C++ Integration build analysis
Java Integration build analysis
Desktop analysis
Refactoring
Klocwork Static Code Analysis
Klocwork Code Review
Structure101
Tuning
Custom checkers

Coding environments

Visual Studio
Eclipse for C/C++
Eclipse for Java
IntelliJ IDEA
Other

Administration

Project configuration
Build configuration
Administration
Analysis performance
Server performance
Security/permissions
Licensing
Klocwork Static Code Analysis Web API
Klocwork Code Review Web API

Community

View help online
Visit RogueWave.com
Klocwork Support
Rogue Wave Videos

Legal

Legal information

Java tuning tutorials 1 and 2 - Tuning SV.XSS.REF to reduce false positives

hide menu -

In this topic:

Java tuning tutorials 1 and 2 - Tuning SV.XSS.REF to reduce false positives

Note: These examples assume that you are working from your project sources directory and that the following has been added to your PATH: <User_install>/bin.

Let's say we have the following servlet:

package com.klocwork.jdefects.checkers.tuning_walkthrough;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import java.io.IOException;

public class CheckTrueSample1 extends HttpServlet {

   
   protected void doGet(final HttpServletRequest request,  final HttpServletResponse response)        
         throws ServletException, IOException {     
      super.doGet(request, response);     
      String name = request.getParameter("name");     
      ServletOutputStream outputStream = response.getOutputStream();     
      outputStream.println("<html><body>");     
      outputStream.println("Name: " + name);      
      outputStream.println("<body></html>");   
   }
}

kwcheck detects SV.XSS.REF for the snippet:

unchecked user data 'name' coming from the request (String name = request.getParameter("name");0 is used to form the web content (outputStream.println("Name: " + name);) which leads to a cross-site scripting (XSS) vulnerability.

Two validation possibilities

Validation routines are developed to fix the issue:

  • isValid returns true if the user input is safe, and false otherwise
  • isInvalid returns false if the user input is safe and true otherwise.

Examples:

public class Validation {


   private Validation() {   
   }

   public static boolean isValid(String s) {      
      boolean b = s.length() < 256;     
      // add your validation code here      
      return b;  
   }

   public static boolean isInvalid(String s) {     
      boolean b = s.length() >= 256;     
      // add your validation code here     
      return b; 
   }
}

Tutorial 1: Add IsValid method to fix the issue

We will use isValid to fix the XSS:

package com.klocwork.jdefects.checkers.dfa.binding_walkthrough;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import java.io.IOException;

public class CheckTrueSample2 extends HttpServlet {

      protected void doGet(final HttpServletRequest request, final HttpServletResponse response)       
         throws ServletException, IOException {    
      super.doGet(request, response);   
      String name = request.getParameter("name");  
      ServletOutputStream outputStream = response.getOutputStream();     
      outputStream.println("<html><body>");  
      if (Validation.isValid(name)) {       
         outputStream.println("Name: " + name);   
      }  
      outputStream.println("<body></html>");  
   }
}

Run the analysis again now that the validation has been added:

kwcheck run

Although the validation has been added, the checker is not registering your validation method and the issue is still being reported by kwcheck.

Create a .jkb file and add describe the isValid method

  1. Create a text file with the .jkb extension. For example, checktrue.jkb.
  2. In the file, describe the method, stating that the data is valid if the method returned true:
public class Validation {  
   public static boolean isValid(@CheckTrue String s);  
}

Bind the CheckTrue record to the checker

After the @CheckTrue record is added, it must be bound to the SV.XSS.REF checker using the @Bind annotation.

Binding is required because the .jkb is altering the behavior of an existing checker whose native knowledge base is not available to edit directly.

@Bind("SV.XSS.REF")
public class Validation {  
   public static boolean isValid(@CheckTrue String s);  
}

Test the knowledge base

To test your knowledge base:

  1. Import the knowledge base into your project using kwcheck: 
    kwcheck import checktrue.jkb
  2. Run the analysis: 
    kwcheck run

The issue is no longer reported because we have validated the input before using it and the knowledge base "notifies" the SV.XSS.REF checker that the validation exists.

Tutorial 2: Add IsInvalid method to fix the issue

Use IsInvalid method to fix the issue:

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import java.io.IOException;

public class CheckFalseSample2 extends HttpServlet {


   protected void doGet(final HttpServletRequest request, final HttpServletResponse response)     
         throws ServletException, IOException {      
      super.doGet(request, response);   
      String name = request.getParameter("name");     
      ServletOutputStream outputStream = response.getOutputStream();      
      outputStream.println("<html><body>"); 
      try {      
         if (Validation.isInvalid(name)) {         
            return;       
         }      
         outputStream.println("Name: " + name);     
      } finally { 
         outputStream.println("<body></html>");     
      }   
   }
}

The XSS is fixed, since we exit the method and do not use the 'name' in the web page if it is tainted.

Run the analysis again now that the validation has been added:

kwcheck run

Although the validation has been added, the checker is not registering your validation method and the issue is still being reported by kwcheck.

Create a .jkb file and describe the isInvalid method

  1. Create a text file with the .jkb extension, for example, checkfalse.jkb.
  2. In the file, describe the isInvalid method:
public class Validation {   
   public static boolean isInvalid(@CheckFalse String s);  
}

Bind the CheckFalse record to the issue

After the @CheckFalse record is added, it must be bound to the issue SV.XSS.REF using the @Bind annotation.

Binding is required because the .jkb is altering the behavior of an existing checker whose native knowledge base is not available to edit directly.

@Bind("SV.XSS.REF")
public class Validation {
   public static boolean isInvalid(@CheckFalse String s);  
}

Test the knowledge base

To test your knowledge base:

  1. Import the knowledge base into your project using kwcheck: 
    kwcheck import checkfalse.jkb
  2. Run the analysis: 
    kwcheck run

The issue is no longer reported.

Related concepts

© Rogue Wave Software, Inc. All rights reserved. | Contact