Checker Methods

While looking at Apache Roller I came across this method:

public static String cleanTextArg(String s) {
if (s == null || s.isEmpty()) return s;
return StringEscapeUtils.escapeHtml(s);

Looking at the code, we can easily see that this function is a sanitiser. It takes a string - which may be trusted or not - and returns a modified string that is safe to use in HTML. Source Patrol is designed to automatically detect sanitiser methods. However, in this case, Source Patrol did not detect the function as a sanitiser, and this resulted in a number of false positives for cross-site scripting.

The function calls another function to do the hard work - escapeHtml, which is part of Apache Commons StringEscapeUtils. Source Patrol includes a database of sanitiser functions in well-known Java libraries, and this does include StringEscapeUtils. But despite this, the function is not being detected as a sanitiser.

There are actually two possible paths through the function, because of the if statement. When the if condition is true, then s is returned directly - without being sanitised. That is why Source Patrol does not detect the function as a sanitiser. However, looking at the condition, we can easily see that if it is true, then s is safe to use in HTML. There is no way a null or empty string can carry a cross-site scripting attack. But Source Patrol did not detect this - and it should have.

When analysing a method, Source Patrol first generates a Control Flow Graph which captures all the branches and loops in the method. The graph consists of basic blocks, which are short sections of code that contain no branching instructions, and edges that connect the blocks. What was missing was a way to pass information from an if condition, to the block within.

To add this feature, we created the concept of a "checker" method. Remember that a sanitiser method takes untrusted input and returns a value that is safe to use in a particular context. A checker method is slightly different: it takes untrusted input, and returns true if (and only if) the value is safe to use in a particular context. In this example, isEmpty() is a checker method that checks for all contexts. And checking s == null has a similar effect, although it is a bytecode instruction rather than a method.

With the "checker method" feature in place, Source Patrol now automatically detects cleanTextArg as a sanitiser. This avoids a number of false positives, without any need for manual intervention.

You can define your own checker methods manually, using the route editor. We expect custom checkers to be a rare requirement, so we do not intend to automatically detect them.

OWASP Top 10arrow more

Make an enquiry

Area of Interest

Pentest’s work is not just about finding vulnerabilities! Thanks to their ability to clearly interpret and communicate their findings, Pentest researchers play a role in educating Oracle developers about current and emerging security threats that customers will face in “real-life” deployments

-Duncan Harris
Senior Director
Security Assurance
Oracle Corp

Database Services

Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.

read more arrow more

© Copyright Pentest Limited 2001 - 2016 All Rights Reserved. Privacy statement