Taint Sanitizers for CodeSonar Java Warning Classes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

Java

Taint Tracking for CodeSonar Java Warning Classes

Taint Sanitizers for CodeSonar Java Warning Classes

Taint sanitizers are methods that remove taint from information that passes through them, so that the information can no longer be used to construct injection attacks.

This section lists the methods that the CodeSonar Java analysis automatically recognizes as sanitizers, and explains how to specify additional methods that the analysis should treat as sanitizers.

Overview
Specifying Additional Sanitizers
Sanitizers Automatically Recognized

Overview

Sanitizers are methods that remove taint from information that passes through them, so that the information can no longer be used to construct injection attacks. Information that originates from a method identified as a taint source will trigger a CodeSonar warning if it enters a taint sink without passing through a sanitizer.

For example, a method that escapes HTML or JavaScript tags might be considered a sanitizer.

The CodeSonar Java analysis automatically recognizes a number of methods as sanitizers. You can also use annotations to specify additional methods that the analysis should treat as sanitizers.

Specifying Additional Sanitizers

If you have a sanitizer method that is not automatically recognized, you can instruct the CodeSonar analysis to treat it as a sanitizer by annotating its return type with one of the annotations from the following table.

In general, a sanitizer method will only sanitize its input with respect to one aspect of taint. For example, if we have a method that ensures a string does not contain a URL, that method will generally not also sanitize SQL components in the string. The different annotations in the table reflect sanitization for a variety of different issues, each of which is associated with a specific warning class.
Annotating a void return causes the receiving object to be treated as sanitized.

Return type annotation	Relevant warning classes
@com.juliasoft.julia.checkers.injection.AddressTrusted	Tainted Network Address (Java)
@com.juliasoft.julia.checkers.injection.AttributeTrusted	Tainted LDAP Attribute (Java)
@com.juliasoft.julia.checkers.injection.BoundaryTrusted	Tainted Bundle (Java)
@com.juliasoft.julia.checkers.injection.CodeTrusted	Code Injection (Java)
@com.juliasoft.julia.checkers.injection.CommandTrusted	Command Injection (Java)
@com.juliasoft.julia.checkers.injection.ControlTrusted	Tainted Control (Java)
@com.juliasoft.julia.checkers.injection.CrossSiteTrusted	Cross Site Scripting (Java)
@com.juliasoft.julia.checkers.injection.DenialTrusted	DOS Injection (Java)
@com.juliasoft.julia.checkers.injection.DeviceTrusted	Tainted Hardware Device Property (Java)
com.juliasoft.julia.checkers.injection.EvalTrusted	Tainted Expression Evaluation (Java)
@com.juliasoft.julia.checkers.injection.FilterTrusted	Tainted LDAP Filter (Java)
@com.juliasoft.julia.checkers.injection.HttpResponseImmediatelyTrusted
@com.juliasoft.julia.checkers.injection.HttpResponseTrusted	Tainted HTTP Response (Java)
@com.juliasoft.julia.checkers.injection.LogTrusted	Tainted Log (Java)
@com.juliasoft.julia.checkers.injection.MessageTrusted	Tainted Message (Java), Android Message Injection (Java)
@com.juliasoft.julia.checkers.flows.OsTrusted
@com.juliasoft.julia.checkers.injection.PathTrusted	Tainted Path (Java)
@com.juliasoft.julia.checkers.injection.ReflectionTrusted	Reflection Injection (Java)
@com.juliasoft.julia.checkers.injection.ResourceTrusted	Tainted Resource (Java)
@com.juliasoft.julia.checkers.injection.SessionTrusted	Tainted Session (Java)
@com.juliasoft.julia.checkers.injection.SqlTrusted	SQL Injection (Java)
@com.juliasoft.julia.checkers.injection.Trusted	Tainted @Trusted Value (Java)
@com.juliasoft.julia.checkers.injection.UrlTrusted	Tainted URL (Java), Android URL Injection (Java)
@com.juliasoft.julia.checkers.injection.XPathTrusted	Tainted Xpath (Java)

For example, suppose we have a method mySqlSanitizer that returns an SQL-escaped version of its String parameter.

String mySqlSanitizer(String instr){
      // ...
}

This method removes SQL taint, so we annotate its return value with @SqlTrusted:

@SqlTrusted String mySqlSanitizer(String instr){
      // ...
}

Sanitizers Automatically Recognized

The methods listed below are automatically recognized as sanitizers by CodeSonar. The relevant annotation from the table above is shown for each method. For example,

@UrlTrusted String System.Web.HttpServerUtility.UrlEncode(String arg0)

indicates that the value returned by this value has been sanitized of URL taint and so will not trigger a Tainted URL (Java) warning if it flows into a location identified as a sink for URL taint.

java2
java5
java8

java2

@CrossSiteTrusted String org.apache.commons.lang.StringEscapeUtils.escapeHtml(String arg0)
@CrossSiteTrusted String org.apache.commons.lang3.StringEscapeUtils.escapeHtml3(String arg0)
@CrossSiteTrusted String org.apache.commons.lang3.StringEscapeUtils.escapeHtml4(String arg0)

java5

@CrossSiteTrusted String org.owasp.esapi.Encoder.encodeForHTML(String arg0)
@AttributeTrusted String org.owasp.esapi.Encoder.encodeForLDAP(String arg0)
@CommandTrusted String org.owasp.esapi.Encoder.encodeForOS(Codec arg0, String arg1)
@SqlTrusted String org.owasp.esapi.Encoder.encodeForSQL(Codec arg0, String arg1)
@UrlTrusted String org.owasp.esapi.Encoder.encodeForURL(String arg0)
@XPathTrusted String org.owasp.esapi.Encoder.encodeForXPath(String arg0)
@CrossSiteTrusted String org.springframework.web.util.HtmlUtils.htmlEscape(String arg0, String arg1)
@CrossSiteTrusted String org.springframework.web.util.HtmlUtils.htmlEscape(String arg0)
@CrossSiteTrusted String org.springframework.web.util.HtmlUtils.htmlEscapeDecimal(String arg0)
@CrossSiteTrusted String org.springframework.web.util.HtmlUtils.htmlEscapeDecimal(String arg0, String arg1)
@CrossSiteTrusted String org.springframework.web.util.HtmlUtils.htmlEscapeHex(String arg0, String arg1)
@CrossSiteTrusted String org.springframework.web.util.HtmlUtils.htmlEscapeHex(String arg0)

java8

@CrossSiteTrusted String org.apache.commons.text.StringEscapeUtils.escapeHtml3(String arg0)
@CrossSiteTrusted String org.apache.commons.text.StringEscapeUtils.escapeHtml4(String arg0)

To report problems with this documentation, please visit https://support.codesecure.com/.