-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6599c3e
commit 48c961a
Showing
5 changed files
with
33 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
24 changes: 9 additions & 15 deletions
24
...ain/resources/generic-remediation-reports/error-message-exposure/description.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1,14 @@ | ||
| This change adds a timout to regex matching calls from the `java.util.regex` libraries. | ||
| This change removes exposure through sending/printing of error and exception data. | ||
|
|
||
| Our changes look like this: | ||
|
|
||
| ```java | ||
| +public <E> E executeWithTimeout(final Callable<E> action, final int timeout){ | ||
| + Future<E> maybeResult = Executors.newSingleThreadExecutor().submit(action); | ||
| + try{ | ||
| + return maybeResult.get(timeout, TimeUnit.MILLISECONDS); | ||
| + }catch(Exception e){ | ||
| + throw new RuntimeException("Failed to execute within time limit."); | ||
| + } | ||
| +} | ||
| ... | ||
| String input = "aaaaaaaaaaaaaaaaaaaaa"; | ||
| Pattern pat = Pattern.compile("^(a+)+$"); | ||
| var matcher = pat.matcher(input); | ||
| - matcher.matches(); | ||
| + executeWithTimeout(() -> matcher.matches(), 5000); | ||
| void function(HttpServletResponse response) { | ||
| PrintWriter pw = reponse.getWriter(); | ||
| try{ | ||
| ... | ||
| } catch (Exception e) { | ||
| - pw.println(e.getMessage()); | ||
| } | ||
| } | ||
| ``` |
8 changes: 4 additions & 4 deletions
8
...er-base/src/main/resources/generic-remediation-reports/error-message-exposure/report.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| { | ||
| "summary" : "Added a timeout to regular expression matching", | ||
| "change" : "Added a timeout to regular expression matching", | ||
| "reviewGuidanceIJustification" : "The expected timeout is highly dependent on the application and should be adjusted to conform to it.", | ||
| "references" : ["https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS", "https://cwe.mitre.org/data/definitions/400.html", "https://github.com/google/re2j"] | ||
| "summary" : "Removed printing/sending of error data", | ||
| "change" : "Removed printing/sending of error data", | ||
| "reviewGuidanceIJustification" : "While this change is most likely harmless, it may be the case that the other endpoint is expecting the message and needs adjustment.", | ||
| "references" : ["https://cwe.mitre.org/data/definitions/209.html", "https://owasp.org/www-community/Improper_Error_Handling", "https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information"] | ||
| } |
24 changes: 15 additions & 9 deletions
24
...er-base/src/main/resources/generic-remediation-reports/regex-dos/description.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,20 @@ | ||
| This change removes exposure through sending/printing of error and exception data. | ||
| This change adds a timout to regex matching calls from the `java.util.regex` libraries. | ||
|
|
||
| Our changes look like this: | ||
|
|
||
| ```java | ||
| void function(HttpServletResponse response) { | ||
| PrintWriter pw = reponse.getWriter(); | ||
| try{ | ||
| ... | ||
| } catch (Exception e) { | ||
| - pw.println(e.getMessage()); | ||
| } | ||
| } | ||
| +public <E> E executeWithTimeout(final Callable<E> action, final int timeout){ | ||
| + Future<E> maybeResult = Executors.newSingleThreadExecutor().submit(action); | ||
| + try{ | ||
| + return maybeResult.get(timeout, TimeUnit.MILLISECONDS); | ||
| + }catch(Exception e){ | ||
| + throw new RuntimeException("Failed to execute within time limit."); | ||
| + } | ||
| +} | ||
| ... | ||
| String input = "aaaaaaaaaaaaaaaaaaaaa"; | ||
| Pattern pat = Pattern.compile("^(a+)+$"); | ||
| var matcher = pat.matcher(input); | ||
| - matcher.matches(); | ||
| + executeWithTimeout(() -> matcher.matches(), 5000); | ||
| ``` |
8 changes: 4 additions & 4 deletions
8
...work/codemodder-base/src/main/resources/generic-remediation-reports/regex-dos/report.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| { | ||
| "summary" : "Removed printing/sending of error data", | ||
| "change" : "Removed printing/sending of error data", | ||
| "reviewGuidanceIJustification" : "While this change is most likely harmless, it may be the case that the other endpoint is expecting the message and needs adjustment.", | ||
| "references" : ["https://cwe.mitre.org/data/definitions/209.html", "https://owasp.org/www-community/Improper_Error_Handling", "https://www.securecoding.cert.org/confluence/display/java/ERR01-J.+Do+not+allow+exceptions+to+expose+sensitive+information"] | ||
| "summary" : "Added a timeout to regular expression matching", | ||
| "change" : "Added a timeout to regular expression matching", | ||
| "reviewGuidanceIJustification" : "The expected timeout is highly dependent on the application and should be adjusted to conform to it.", | ||
| "references" : ["https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS", "https://cwe.mitre.org/data/definitions/400.html", "https://github.com/google/re2j"] | ||
| } |