8

Long story short, no matter what I try VeraCode continues to flag 8 lines of my code as flaws with CWE 918. This is old code so I'm not sure why it's suddenly being flagged.

Here's an example [offending] method with the flagged line in bold

  public virtual async Task<HttpResponseMessage> Put(string controller = "", Dictionary<string, object> parameters = null, object body = null)
        {
            if (string.IsNullOrWhiteSpace(ApiBaseUrl)) return null;
            HttpResponseMessage response = null;

            using (var client = GetHttpClient())
            {
                client.BaseAddress = new Uri(ApiBaseUrl);

                if (!string.IsNullOrEmpty(Token)) client.DefaultRequestHeaders.Add("Token-Key", Token);
                if (!string.IsNullOrEmpty(DeviceId)) client.DefaultRequestHeaders.Add("DeviceId", DeviceId);

                var url = GenerateUrl(controller, parameters);

                var requestBody = GeneratedHttpContent(body);
                if (requestBody == null) requestBody = new StringContent("");

                **response = await client.PutAsync(url, requestBody);**

                await LogError(response);
                return response;
            }
        }

Here's my proposed fix that utilized an extension method to validate the URL

var url = GenerateUrl(controller, parameters);

                var requestBody = GeneratedHttpContent(body);
                if (requestBody == null) requestBody = new StringContent("");

                **if (url.IsValidUrl())
                {
                    response = await client.PutAsync(url, requestBody);
                }
                else
                {
                    response = new HttpResponseMessage(HttpStatusCode.BadRequest);
                }**

                await LogError(response);
                return response;

Here is the extension method with a VeraCode attribute

        [RedirectUrlCleanser]
        public static bool IsValidUrl(this string source)
        {
            return Uri.TryCreate(source, UriKind.RelativeOrAbsolute, out Uri uriResult) && Uri.IsWellFormedUriString(source, UriKind.RelativeOrAbsolute);
        }

I can have VeraCode automatically mitigate based on the attribute, but our client will be performing their own scan and certainly won't have that setting enabled.

Any ideas on how I can resolve this would be appreciated.

m0r6aN
  • 850
  • 1
  • 11
  • 19

2 Answers2

3

The true source of the flaw is inside of your GenerateUrl method which is unfortunately not shown, but here is the general idea of what the Veracode is complaining about.

For CWE ID 918 it is hard to make Veracode recognize your fix unless you have static URL. You need to validate all your inputs that become parts of your request URL. Below is what I found at the Veracode site: https://community.veracode.com/s/question/0D52T00004i1UiSSAU/how-to-fix-cwe-918-veracode-flaw-on-webrequest-getresponce-method

The complete solution existed only for the case where you have single or some small number of possible input values (white list):

public WebResponse ProxyImage(string image_host, string image_path)
{
    string validated_image_host = AllowedHosts.Host1;
    if (image_host.Equals(AllowedHosts.Host2))
        validated_image_host = AllowedHosts.Host2;

    string validated_image = AllowedImages.Image1;
    if (image_path.Equals(AllowedImages.Image2))
        validated_image = AllowedImages.Image2;

    string url = $"http://{validated_image_host}.example.com/{validated_image}";

    return WebRequest.Create(url).GetResponse();
}

If the set of possible valid values is too large for that kind of validation then you need to fix the flaw by implementing dynamic validation of inputs using regular expressions. Unfortunately, Veracode is not smart enough to recognize that kind of fix, so "mitigation by design" is still required.

public WebResponse ProxyImage(string image_host, string image_path)
{
    var image_host_regex = new System.Text.RegularExpressions.Regex("^[a-z]{1,10}$");
    if (!image_host_regex.Match(image_host).Success)
        throw new ArgumentException("Invalid image_host");

    var image_path_regex = new System.Text.RegularExpressions.Regex("^/[a-z]{1,10}/[a-z]{1,255}.png$");
    if (!image_path_regex.Match(image_path).Success)
        throw new ArgumentException("Invalid image_host");

    string url = $"http://{image_host}.example.com/{image_path}";
    return WebRequest.Create(url).GetResponse();
}
Alan Milton
  • 374
  • 4
  • 13
  • 1
    See also: https://veracodecommunities.force.com/CustomerCommunity/s/question/0D52T00004s161DSAQ/how-to-fix-cwe918-serverside-request-forgery-ssrf- – derekbaker783 Feb 07 '23 at 21:17
1

Another way to fix this issue (which is kind of a hack) is to append your query string parameters in the baseAddress of the HttpClient, this way the veracode will not treat it like a flaw.

Here is how the solution would look like

public async Task<Data> GetData(string input)
{
    try
    {
        var httpClient = new HttpClient();

        //Appended the parameter in base address to
        //to fix veracode flaw issue
        httpClient.BaseAddress = new Uri($"https://someurl.com/somefunction/{input}");

        //passing empty string in GetStringAsync to make sure
        //veracode doesn't treat it like modifying url 
        var content = await httpClient.GetStringAsync("");

        return JsonConvert.DeserializeObject<Data>(content);
    }
}
Hamza Khanzada
  • 1,439
  • 1
  • 22
  • 39
  • It is actually a bad advice. If an attacker sends input as `../bad-function` (or `../admin-function?action=format-c`) your server will call that `https://someurl.com/bad-function` using its authentication and authorization data. This is exactly what CWE-918 warns us about. – Alan Milton Oct 07 '20 at 16:32
  • Actually I am not deciding the function dynamically from request data, I was just using that for query string parameters, like the id of record to be fetched. so there is no harm in going for this hack – Hamza Khanzada Oct 08 '20 at 11:30