Fortify自定义规则编写教程笔记（四）：数据流规则

一、规则类型：

DataflowEntrypointRule

DataflowSourceRule

DataflowPassthroughRule

DataflowSinkRule

DataflowCleanseRule

二、规则中的通用属性：

formatVersion

language

RuleID

VulKingdom

VulnCategory

VulnSubcategory

DefaultSeverity(1.0-5.0)

Description:Abstract...

三、函数的匹配与识别:FunctionIdentifier

(1)函数的维度：NamespaceName,ClassName,FunctionName

(2)正则识别：Pattern

(3)精确识别：Value

四、具体规则：

(1)Dataflow sink Rule：

InArguments,Conditional

(2)Dataflow Passthrough Rule：

InArguments,OutArguments,+/-(add/removetaint flags)

(3)Dataflow Entrypoint Rule:

InArguments,Modifiers(e.g:static)

(4)Dataflow Cleanse Rule：

OutArguments,Parameters

(5)Dataflow Source Rule：

ApplyTo: extends,overrides,implements

TaintFlags

OutArguments:this,return,参数索引

五、Conditionals

逻辑运算：And,Or,Not

常量相关：IsConstant,ConstantEq,ConstantGt,ConstantLt

标记：TaintFlagSet

类相关：Type

六、Taint Flags

类型：General(默认行为)，Neutral(主要用于VALIDATED_xxx)，Specific(自定义taint flags，且不让其他sink报错)

声明：TaintFlagDeclarations

七、总结：

Entrypoint/Source->Passthrough->Sink: Report

Entrypoint/Source->Passthrough->Cleanse: Do not report

八、附加参考：

(1)Decription中的替代键：

(2)Fortify认可的验证库或方法(类似于Cleanse)

a).Validator for XSS issue

Encoder/Encoding/Escapefrom several supported library are recognized by fortify, however, issue willstill get reported, with lower rating: LOW.

Sample: xss: poor validation

b).Validator for Path Manipulation

org.owasp.esapi.getValidDirectoryPathor org.owasp.esapi.getValidFilename

c).Validator for SQL Injection (encoder/escaper) ,eg:

org.owasp.esapi.Encoder.encodeForSQL

org.apache.commons.lang.StringEscapeUtils.escapeSql

d).Validator for Command Injection

org.owasp.esapi.Encoder.encodeForOS

作者：陈辉军