Fortify控制流规则在XXE漏洞检测中的应用与调试<\/h1>

1. 前言<\/h2>
Fortify静态代码扫描工具在执行扫描时会加载默认规则和自定义规则。当需要仅使用自定义规则进行扫描时，可以通过Fortify portal接口执行扫描并附加参数来丢弃默认规则的导入。本文详细记录XXE漏洞静态代码扫描规则的定义、使用、优化和调试过程。<\/p>

2. 基础知识：控制流分析<\/h2>

控制流分析器通过将安全属性建模为状态机来检测不安全操作序列：<\/p>

状态机组成<\/strong>：<\/p>

初始状态(Initial state)<\/li>
一个或多个错误状态(Error states)<\/li>
任意数量的内部状态(Internal states)<\/li> <\/ul> <\/li>

工作原理<\/strong>：<\/p>

函数开始时处于初始状态<\/li>
当进入错误状态时报告漏洞<\/li>
状态转换由程序构造的规则模式触发<\/li>
按顺序检查转换，执行第一个匹配的语句<\/li> <\/ul> <\/li> <\/ul>
3. 控制流规则XML结构<\/h2>
控制流规则XML包含以下关键元素：<\/p>
<?xml version="1.0" encoding="UTF-8"?><\/span> <\/span><\/span><RulePack<\/span> xmlns=<\/span>"xmlns:\/\/www.fortifysoftware.com\/schema\/rules"<\/span>><\/span> <\/span><\/span> <RulePackID><\/span>3E108F67-3116-481D-8C52-67C6E6939CE9<\/RulePackID><\/span> <\/span><\/span> <SKU><\/span>SKU-SAXParserXXE-rule<\/SKU><\/span> <\/span><\/span> <Name><\/span><![CDATA[SAXParserXXE-rule]]><\/span><\/Name><\/span> <\/span><\/span> <Version><\/span>1.0<\/Version><\/span> <\/span><\/span> <Rules<\/span> version=<\/span>"3.2"<\/span>><\/span> <\/span><\/span> <RuleDefinitions><\/span> <\/span><\/span> <ControlflowRule<\/span> formatVersion=<\/span>"22.1.0"<\/span> language=<\/span>"java"<\/span>><\/span> <\/span><\/span> <MetaInfo><\/MetaInfo><\/span> <\/span><\/span> <RuleID><\/span>6FC83768-C5A0-0E26-044B-59E8A1EBA0BA<\/RuleID><\/span> <\/span><\/span> <VulnKingdom><\/span>Input Validation and Representation<\/VulnKingdom><\/span> <\/span><\/span> <VulnCategory><\/span>Resource Leak<\/VulnCategory><\/span> <\/span><\/span> <DefaultSeverity><\/span>2.0<\/DefaultSeverity><\/span> <\/span><\/span> <FunctionIdentifier<\/span> id=<\/span>"XXX"<\/span>><\/span> <\/span><\/span> <NamespaceName><Pattern><\/span>xxx<\/Pattern><\/NamespaceName><\/span> <\/span><\/span> <ClassName><Pattern><\/span>xxx<\/Pattern><\/ClassName><\/span> <\/span><\/span> <FunctionName><Value><\/span>xxx<\/Value><\/FunctionName><\/span> <\/span><\/span> <ApplyTo<\/span> implements=<\/span>"true"<\/span> overrides=<\/span>"true"<\/span> extends=<\/span>"true"<\/span>\/><\/span> <\/span><\/span> <\/FunctionIdentifier><\/span> <\/span><\/span> <FunctionCallIdentifier<\/span> id=<\/span>"validateSetA"<\/span>><\/span> <\/span><\/span> <FunctionIdentifier><\/span> <\/span><\/span> <NamespaceName><Pattern><\/span>xxx<\/Pattern><\/NamespaceName><\/span> <\/span><\/span> ... <\/span><\/span><\/code><\/pre>关键XML元素说明<\/h3> FunctionIdentifier<\/strong>：<\/p> 标识函数<\/li> 控制流规则可包含多个函数标识符<\/li> 包含命名空间、类名和方法名定义<\/li> <\/ul> <\/li> FunctionCallIdentifier<\/strong>：<\/p> 结合FunctionIdentifier和Conditional元素<\/li> 匹配对函数的特定调用<\/li> <\/ul> <\/li> Definition<\/strong>：<\/p> 包含控制流状态机定义<\/li> 建议使用CDATA部分避免XML特殊字符转义问题<\/li> <\/ul> <\/li> <\/ol> 4. 规则定义：XXE漏洞示例<\/h2> 漏洞代码示例<\/h3> package<\/span> org.example;<\/span> <\/span><\/span>import<\/span> org.xml.sax.*;<\/span> <\/span><\/span>import<\/span> org.xml.sax.helpers.DefaultHandler;<\/span> <\/span><\/span>import<\/span> javax.xml.parsers.SAXParser;<\/span> <\/span><\/span>import<\/span> javax.xml.parsers.SAXParserFactory;<\/span> <\/span><\/span>import<\/span> java.io.InputStream;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> XmlSAXParserWithHandler<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> parse<\/span>(<\/span>InputStream xmlInput)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> SAXParserFactory factory =<\/span> SAXParserFactory.<\/span>newInstance<\/span>();<\/span> <\/span><\/span> \/* 安全设置被注释掉 <\/span><\/span><\/span> factory.setFeature("http:\/\/apache.org\/xml\/features\/disallow-doctype-decl", true); <\/span><\/span><\/span> factory.setFeature("http:\/\/xml.org\/sax\/features\/external-general-entities", false); <\/span><\/span><\/span> factory.setFeature("http:\/\/xml.org\/sax\/features\/external-parameter-entities", false); <\/span><\/span><\/span> *\/<\/span> <\/span><\/span> SAXParser parser =<\/span> factory.<\/span>newSAXParser<\/span>();<\/span> <\/span><\/span> DefaultHandler handler =<\/span> new<\/span> DefaultHandler()<\/span> {<\/span> <\/span><\/span> \/\/ 处理XML元素的回调方法 <\/span><\/span><\/span><\/span> };<\/span> <\/span><\/span> parser.<\/span>parse<\/span>(<\/span>xmlInput,<\/span> handler);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键匹配点分析<\/h3> 需要匹配的三个关键部分：<\/p> SAXParserFactory factory = SAXParserFactory.newInstance();<\/code><\/li> SAXParser parser = factory.newSAXParser();<\/code><\/li> parser.parse(xmlInput, handler);<\/code><\/li> <\/ol> 规则定义步骤<\/h3> 第一阶段：函数匹配<\/h4> 定义三个关键函数的匹配规则：<\/p> <FunctionIdentifier<\/span> id=<\/span>"factoryCreate"<\/span>><\/span> <\/span><\/span> <NamespaceName><Pattern><\/span>javax.xml.parsers<\/Pattern><\/NamespaceName><\/span> <\/span><\/span> <ClassName><Pattern><\/span>SAXParserFactory<\/Pattern><\/ClassName><\/span> <\/span><\/span> <FunctionName><Value><\/span>newInstance<\/Value><\/FunctionName><\/span> <\/span><\/span> <ApplyTo<\/span> implements=<\/span>"true"<\/span> overrides=<\/span>"true"<\/span> extends=<\/span>"true"<\/span>\/><\/span> <\/span><\/span><\/FunctionIdentifier><\/span> <\/span><\/span> <\/span><\/span><FunctionIdentifier<\/span> id=<\/span>"parserCreate"<\/span>><\/span> <\/span><\/span> <NamespaceName><Pattern><\/span>javax.xml.parsers<\/Pattern><\/NamespaceName><\/span> <\/span><\/span> <ClassName><Pattern><\/span>SAXParserFactory<\/Pattern><\/ClassName><\/span> <\/span><\/span> <FunctionName><Value><\/span>newSAXParser<\/Value><\/FunctionName><\/span> <\/span><\/span> <ApplyTo<\/span> implements=<\/span>"true"<\/span> overrides=<\/span>"true"<\/span> extends=<\/span>"true"<\/span>\/><\/span> <\/span><\/span><\/FunctionIdentifier><\/span> <\/span><\/span> <\/span><\/span><FunctionIdentifier<\/span> id=<\/span>"parserParse"<\/span>><\/span> <\/span><\/span> <NamespaceName><Pattern><\/span>javax.xml.parsers<\/Pattern><\/NamespaceName><\/span> <\/span><\/span> <ClassName><Pattern><\/span>SAXParser<\/Pattern><\/ClassName><\/span> <\/span><\/span> <FunctionName><Value><\/span>parse<\/Value><\/FunctionName><\/span> <\/span><\/span> <ApplyTo<\/span> implements=<\/span>"true"<\/span> overrides=<\/span>"true"<\/span> extends=<\/span>"true"<\/span>\/><\/span> <\/span><\/span><\/FunctionIdentifier><\/span> <\/span><\/span><\/code><\/pre>第二阶段：状态机设计<\/h4> XXE漏洞状态转换流程：<\/p> 初始状态 → 创建factory<\/li> 创建factory → 创建parser<\/li> 创建parser → 执行parse（漏洞点）<\/li> <\/ol> 状态机XML定义：<\/p> <Definition><\/span><![CDATA[ <\/span><\/span><\/span>StateMachine: { <\/span><\/span><\/span> InitialState: Init; <\/span><\/span><\/span> States: { <\/span><\/span><\/span> Init: { <\/span><\/span><\/span> Transitions: { <\/span><\/span><\/span> factoryCreate -> FactoryCreated; <\/span><\/span><\/span> } <\/span><\/span><\/span> } <\/span><\/span><\/span> FactoryCreated: { <\/span><\/span><\/span> Transitions: { <\/span><\/span><\/span> parserCreate -> ParserCreated; <\/span><\/span><\/span> } <\/span><\/span><\/span> } <\/span><\/span><\/span> ParserCreated: { <\/span><\/span><\/span> Transitions: { <\/span><\/span><\/span> parserParse -> ErrorState; <\/span><\/span><\/span> } <\/span><\/span><\/span> } <\/span><\/span><\/span> ErrorState: { <\/span><\/span><\/span> Error: "XXE Injection Vulnerability Detected"; <\/span><\/span><\/span> } <\/span><\/span><\/span> } <\/span><\/span><\/span>} <\/span><\/span><\/span>]]><\/span><\/Definition><\/span> <\/span><\/span><\/code><\/pre>5. 规则扫描与验证<\/h2> 漏洞代码扫描结果<\/h3> 执行扫描后，Fortify会报告XXE注入漏洞，可通过检查RuleID确认是否由自定义规则检测到。<\/p> 安全代码示例（误报问题）<\/h3> public<\/span> static<\/span> void<\/span> parse<\/span>(<\/span>InputStream xmlInput)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> SAXParserFactory factory =<\/span> SAXParserFactory.<\/span>newInstance<\/span>();<\/span> <\/span><\/span> \/\/ 添加安全设置 <\/span><\/span><\/span><\/span> factory.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span> <\/span><\/span> factory.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span> <\/span><\/span> factory.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span> <\/span><\/span> <\/span><\/span> SAXParser parser =<\/span> factory.<\/span>newSAXParser<\/span>();<\/span> <\/span><\/span> \/\/ 其余代码... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>初始规则会对安全代码也报告漏洞（误报），需要优化。<\/p> 6. 规则优化<\/h2> 误报问题解决<\/h3> 添加对安全设置方法的检测：<\/p> 添加FunctionCallIdentifier：<\/li> <\/ol> <FunctionCallIdentifier<\/span> id=<\/span>"validateSetA"<\/span>><\/span> <\/span><\/span> <FunctionIdentifier><\/span> <\/span><\/span> <NamespaceName><Pattern><\/span>javax.xml.parsers<\/Pattern><\/NamespaceName><\/span> <\/span><\/span> <ClassName><Pattern><\/span>SAXParserFactory<\/Pattern><\/ClassName><\/span> <\/span><\/span> <FunctionName><Value><\/span>setFeature<\/Value><\/FunctionName><\/span> <\/span><\/span> <\/FunctionIdentifier><\/span> <\/span><\/span> <Conditional><\/span><![CDATA[ <\/span><\/span><\/span> (arg[0]=="http:\/\/apache.org\/xml\/features\/disallow-doctype-decl" && arg[1]==true) || <\/span><\/span><\/span> (arg[0]=="http:\/\/xml.org\/sax\/features\/external-general-entities" && arg[1]==false) || <\/span><\/span><\/span> (arg[0]=="http:\/\/xml.org\/sax\/features\/external-parameter-entities" && arg[1]==false) <\/span><\/span><\/span> ]]><\/span><\/Conditional><\/span> <\/span><\/span><\/FunctionCallIdentifier><\/span> <\/span><\/span><\/code><\/pre> 更新状态机：<\/li> <\/ol> <Definition><\/span><![CDATA[ <\/span><\/span><\/span>StateMachine: { <\/span><\/span><\/span> InitialState: Init; <\/span><\/span><\/span> States: { <\/span><\/span><\/span> Init: { <\/span><\/span><\/span> Transitions: { <\/span><\/span><\/span> factoryCreate -> FactoryCreated; <\/span><\/span><\/span> } <\/span><\/span><\/span> } <\/span><\/span><\/span> FactoryCreated: { <\/span><\/span><\/span> Transitions: { <\/span><\/span><\/span> validateSetA -> SafeState; <\/span><\/span><\/span> parserCreate -> ParserCreated; <\/span><\/span><\/span> } <\/span><\/span><\/span> } <\/span><\/span><\/span> ParserCreated: { <\/span><\/span><\/span> Transitions: { <\/span><\/span><\/span> parserParse -> ErrorState; <\/span><\/span><\/span> } <\/span><\/span><\/span> } <\/span><\/span><\/span> SafeState: { <\/span><\/span><\/span> \/\/ 安全状态，不报告漏洞 <\/span><\/span><\/span> } <\/span><\/span><\/span> ErrorState: { <\/span><\/span><\/span> Error: "XXE Injection Vulnerability Detected"; <\/span><\/span><\/span> } <\/span><\/span><\/span> } <\/span><\/span><\/span>} <\/span><\/span><\/span>]]><\/span><\/Definition><\/span> <\/span><\/span><\/code><\/pre>漏洞级别调整<\/h3> 通过MetaInfo元素调整漏洞严重性：<\/p> <MetaInfo><\/span> <\/span><\/span> <Group<\/span> name=<\/span>"Accuracy"<\/span> value=<\/span>"4"<\/span>\/><\/span> <\/span> <\/span><\/span> <Group<\/span> name=<\/span>"Impact"<\/span> value=<\/span>"4"<\/span>\/><\/span> <\/span> <\/span><\/span> <Group<\/span> name=<\/span>"Probability"<\/span> value=<\/span>"4"<\/span>\/><\/span> <\/span> <\/span><\/span><\/MetaInfo><\/span> <\/span><\/span><DefaultSeverity><\/span>4.0<\/DefaultSeverity><\/span> <\/span> <\/span><\/span><\/code><\/pre>评分标准：<\/p> Accuracy(0-5)<\/strong>: 准确性 4-5: 高准确性，误报率低<\/li> <\/ul> <\/li> Impact(0-5)<\/strong>: 影响力 4-5: 高影响力，可导致严重问题<\/li> <\/ul> <\/li> Probability(0-5)<\/strong>: 发生概率 4-5: 高概率，易被利用<\/li> <\/ul> <\/li> <\/ul> 修复建议完善<\/h3> 添加规范的漏洞描述和修复建议：<\/p> <Description><\/span><![CDATA[ <\/span><\/span><\/span>XXE (XML External Entity) injection vulnerability occurs when XML input containing <\/span><\/span><\/span>a reference to an external entity is processed by a weakly configured XML parser. <\/span><\/span><\/span>]]><\/span><\/Description><\/span> <\/span><\/span><Recommendations><\/span><![CDATA[ <\/span><\/span><\/span>To prevent XXE injection: <\/span><\/span><\/span>1. Disable DTDs (doctypes): <\/span><\/span><\/span> factory.setFeature("http:\/\/apache.org\/xml\/features\/disallow-doctype-decl", true); <\/span><\/span><\/span>2. Disable external entities: <\/span><\/span><\/span> factory.setFeature("http:\/\/xml.org\/sax\/features\/external-general-entities", false); <\/span><\/span><\/span> factory.setFeature("http:\/\/xml.org\/sax\/features\/external-parameter-entities", false); <\/span><\/span><\/span>]]><\/span><\/Recommendations><\/span> <\/span><\/span><\/code><\/pre>7. 最终优化后的规则<\/h2> 整合所有优化点后的完整规则包含：<\/p> 精确的函数匹配定义<\/li> 完善的状态机设计（包含安全状态）<\/li> 适当的漏洞级别设置<\/li> 详细的漏洞描述和修复建议<\/li> <\/ol> 8. 总结与最佳实践<\/h2> 规则编写流程<\/strong>：<\/p> 分析漏洞代码模式<\/li> 定义关键函数匹配<\/li> 设计状态转换流程<\/li> 测试并优化误报\/漏报<\/li> <\/ul> <\/li> 评估规则质量<\/strong>：<\/p> 对存在漏洞的代码能准确检测<\/li> 对添加防护的安全代码不误报<\/li> 漏洞级别设置合理<\/li> 提供有效的修复建议<\/li> <\/ul> <\/li> 扩展应用<\/strong>：<\/p> 类似方法可用于其他类型漏洞的规则编写<\/li> 根据具体风险代码调整规则逻辑<\/li> 结合多种规则类型提高检测覆盖率<\/li> <\/ul> <\/li> <\/ol> 通过控制流规则可以有效地建模复杂的安全问题检测逻辑，特别适合需要跟踪多个函数调用序列的漏洞模式检测。<\/p>