Wrong detections in dotnet dogfooding of SAST
Problem
Recently API Security dogfooded SAST and discovered a number of false positives that look like bugs. API Security is a multi-project repository with a mix of languages, primarily dotnet core and python.
Pipeline with false positives: https://gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing-src/-/pipelines/653561352/security
Some of the false positives look reasonable, but others are quite strange as they are detecting technology not in use by out project such as LDAP.
Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
This is one of five similar false positive findings related to LDAP. It's an odd report because we don't use LDAP in our analyzer.
Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
We also have several reports of this issue with different levels of wrongness:
int
data type
Flagging xpath injection with The offending line is reported as: var xmlElement = xmlDocument.SelectSingleNode(xmlElementWithTextXPathExpr);
This xpath is built up using a single variable elementIndex
which is clearly an integer from the method declaration.
Additionally, this variable is not under direct user control.
private string ReplaceGivenNElement(string injectionValue, int elementIndex, XmlDocument xmlDocument)
{
// Clone document with mutated entity
var mutatedEntityDeclaration = string.Format(AttackEntityDeclaration, injectionValue);
UpdateDocumentWithMutatedEntity(xmlDocument, mutatedEntityDeclaration);
// Update specific element to use attack entity
var xmlElementWithTextXPathExpr = @$"(//*[not(*)])[{elementIndex + 1}]";
var xmlElement = xmlDocument.SelectSingleNode(xmlElementWithTextXPathExpr);
var xmlRef = xmlDocument.CreateEntityReference(AttackEntityName);
xmlElement.InnerText = string.Empty;
xmlElement.AppendChild(xmlRef);
var mutatedValue = xmlDocument.OuterXml;
return mutatedValue;
}
Flagging xpath injection with LINQ queries
Another common false positive is flagging the LINQ Select
method on collections as xpath injection.
The GetTypes()
definition is: public static IEnumerable<JsonObjectType> GetTypes(this JsonObjectType type)
.
GetTypes()
is an example of csharp extension methods. Very common in modern dotnet code.
var types = parameterItem.Type.GetTypes()
.Select(x => x.ToString())
.Join(", ");
throw Fail($"parameter read fail, expected string, got ({types})");