首先,先看看VeraCode對OS Command Injection的定義:
OS command injection vulnerabilities occur when data enters an application from an untrusted source and is used to
dynamically construct and execute a system command. This allows an attacker to either alter the command executed by the application or append additional commands. The command is typically executed with the privileges of the executing process and gives an attacker a privilege or capability that he would not otherwise have.
再看卡VeraCode對如何解決這個問題的建議:
Careful handling of all untrusted data is critical in preventing OS command injection attacks. Using one or more of the following techniques provides defense-in-depth and minimizes the likelihood of an vulnerability.
* If possible, use library calls rather than external processes to recreate the desired functionality.
* Validate user-supplied input using positive filters (white lists) to ensure that it conforms to the expected format, using centralized data validation routines when possible.
* Select safe API routines. Some APIs that execute system commands take an array of strings as input rather than a
single string, which protects against some forms of command injection by ensuring that a user-supplied argument
cannot be interpreted as part of the command.
通過對現有系統的實踐證明,對于這類OS Command Injection Issue,消除時主要遵循以下幾個原則:
1)重構代碼,保證只有1個函數最終執行Runtime.exec(xxxx,xxx)
public static Process execAndReturnProcess(String cmd[]) throws Exception
{
return execAndReturnProcess(cmd, null);
}
public static Process execAndReturnProcess(String cmds[], String envps[]) throws Exception
{
String[] validatedCmdArray = ASEUtils.validateCommandArray(cmds);
String[] validatedEnvArray = ASEUtils.validateEnvArray(envps);
if (null == validatedCmdArray)
{
throw new Exception("No permission to execute the command:" + cmds[0]);
}
Runtime runtime = Runtime.getRuntime();
Process process = runtime.exec(validatedCmdArray, validatedEnvArray);
return process;
}
2)用Runtime.exec調用操作系統命令時,優先使用數組作為參數
Process exec(String[] cmdarray, String[] envp, File dir)
而不是字符串作為參數
Process exec(String cmd, String[] envp, File dir)
3)Veracode會檢測傳入exec()的變量是否存在隱患(比如文件中讀取出來的,或者注冊表里讀取出來的),這種情況就需要對原有變量做驗證,然后重新定義變量,傳入Runtime.exec中,如下面代碼所示:
public static Process execAndReturnProcess(String cmds[], String envps[]) throws Exception
{
String[] validatedCmdArray = validateCommandArray(cmds);
String[] validatedEnvArray = validateEnvArray(envps);
if (null == validatedCmdArray)
{
throw new Exception("No permission to execute the command:" + cmds[0]);
}
Runtime runtime = Runtime.getRuntime();
Process process = runtime.exec(validatedCmdArray, validatedEnvArray);
return process;
}
public static String[] validateCommandArray(String[] cmdArray)
{
String[] validatedCmdArray = new String[cmdArray.length];
for (int i=0; i<cmdArray.length; i++)
{
if ( null != cmdArray[i] && cmdArray[i].trim().length()>0)
{
validatedCmdArray[i] = removeControlCharacter(cmdArray[i]);
}
}
return validatedCmdArray;
}
4)另外,還可以定義一個全局的可執行命令的列表(White List),對每次要執行的命令,都驗證它是否在允許的可執行命令列表里。
public static final String [] ALLOWED_COMMAND_ROUTINES =
{
"cmd",
"command",
"sh",
"env",
};
private static boolean isValidateCommandRoutine(String command)
{
Boolean isValidRoutine = false;
for (int i=0; i<ALLOWED_COMMAND_ROUTINES.length ;i++)
{
if (command.equals(ALLOWED_COMMAND_ROUTINES[i]) != -1)
{
isValidRoutine = true;
}
}
return isValidRoutine;
}
public static String[] validateCommandArray(String cmds[])
{
Boolean isValidRoutine = isValidateCommandRoutine(cmds[0]);
if (isValidRoutine)
{
String[] validatedCmdArray = new String[cmds.length];
for (int i=0; i<cmds.length; i++)
{
if ( null != cmds[i] && cmds[i].trim().length()>0)
{
validatedCmdArray[i] = removeControlCharacter(cmds[i]);
}
}
return validatedCmdArray;
}
return null;
}
實際上,我們在做第三方安全檢測時,使用上面提到的4點,Veracode 已經可以通過檢測了,但是Fortify不行,所以最后只能在Fortify的系統里標記"Not an issue", 忽略這個最終的Runtime.exec調用。