Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

Fortify sink issue for error logging and hidden field issue for input hidden field using aem6.5

Avatar

Level 3

Hello ,

 

I am using AEM 6.5 on fortify scan found the below. Any inputs on how to resolve this will be helpfull.

 

1> Error logging

It shows Sink:org.slf4j.Logger.error()

 

I am doing 

try{...}

catch(cryptoexception e){

log.error("there was an error {}",e.getMessage());

}

 

It is throwing the sink error.

 

2>I have an hidden field like  below in the .html and need it 

 

<input type="hidden" otherparameters>

 

How to resolve above issues so that it does not show up in Fortify scan. Any sample code will help

 

Thanks,

Srinivas

 

<input

 

 

1 Accepted Solution

Avatar

Correct answer by
Level 9

HI @Srinivas_Opti ,

If you have already implemented the suggested solution for the hidden field issue and are still seeing it flagged in Fortify reports, there may be other factors contributing to the issue. Here are some additional steps you can take to further investigate and resolve the issue:

1. Check the Fortify report for more details: The Fortify report should provide more information about the specific issue and the reason it was flagged. Review the report to see if there are any additional details that can help you identify the root cause of the issue.

2. Verify that the validation is working correctly: Double-check that the server-side validation is working as expected. You can add debug logging or use a debugger to step through the code and verify that the validation logic is being executed correctly.

3. Consider other sources of input: Hidden fields are not the only source of input that can be manipulated by attackers. Check if there are other input fields in your form that could be manipulated and ensure that they are validated on the server-side.

4. Review your code for other security issues: Fortify scans can flag multiple security issues in your code. Review your code for other security issues and address them as necessary.

5. Seek expert assistance: If you are still unable to resolve the issue, consider seeking assistance from a security expert or a Fortify consultant who can help you identify and address the root cause of the issue.

By following these steps, you should be able to identify and resolve the hidden field issue flagged by Fortify in your AEM 6.5 environment.

View solution in original post

4 Replies

Avatar

Level 9

Hi @Srinivas_Opti ,

To address the Fortify scan issues you're encountering in AEM 6.5, let's break down the solutions for each of the issues:

1. Error Logging (Sink: org.slf4j.Logger.error())

Fortify is flagging the logging as a potential security issue because logging sensitive information can lead to information leakage. Here are some best practices to follow for secure logging:

  • Avoid logging sensitive information: Ensure you are not logging sensitive data such as passwords, personal information, or detailed error messages that could be useful to an attacker.
  • Log Exceptions Securely: When logging exceptions, avoid logging the full stack trace directly. Instead, log a unique error identifier and handle the detailed logging securely.

Example Solution

Instead of logging the exception message directly, you could log a generic error message and the exception's stack trace separately, ensuring you do not expose sensitive details.

 

 

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class YourClass {
    private static final Logger log = LoggerFactory.getLogger(YourClass.class);

    public void yourMethod() {
        try {
            // Your code here
        } catch (CryptoException e) {
            log.error("An error occurred while processing the request: {}", e.getMessage()); // Avoid this pattern
            log.debug("Detailed error: ", e); // Use debug or trace level to log the stack trace
        }
    }
}

 

 

In this approach:

  • The log.error statement provides a generic message, avoiding exposure of sensitive details.
  • The log.debug statement logs the detailed exception stack trace at a lower log level (debug), which can be disabled in production environments.

2. Hidden Field Issue in HTML

Fortify is flagging the hidden input field because hidden fields can be manipulated by attackers. Hidden fields should not contain sensitive data. To resolve this, ensure that hidden fields are used securely and consider server-side validation.

Example Solution

  1. Avoid storing sensitive data in hidden fields.
  2. Validate all input, including hidden fields, on the server-side to ensure they haven't been tampered with.

For instance, if you need to include a hidden field in your form, ensure that it does not contain sensitive information and always validate it on the server-side:

 

 

<form action="/submit-form" method="post">
    <!-- Non-sensitive hidden field -->
    <input type="hidden" name="nonSensitiveParameter" value="12345" />
    <!-- Other form fields -->
    <input type="submit" value="Submit" />
</form>

 

 

On the server-side, validate the hidden field value:

 

 

protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException {
    String hiddenFieldValue = request.getParameter("nonSensitiveParameter");
    // Validate the hidden field value
    if (hiddenFieldValue != null && hiddenFieldValue.matches("\\d+")) {
        // Process the form
    } else {
        // Handle invalid input
        response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid input");
    }
}

 

 

By ensuring hidden fields are used appropriately and validating them on the server-side, you can mitigate the security risks flagged by Fortify.

  1. Error Logging:

    • Avoid logging sensitive information.
    • Log exceptions with a generic message and use debug level for detailed stack traces.
  2. Hidden Field:

    • Do not store sensitive data in hidden fields.
    • Validate hidden field values on the server-side to ensure they haven't been tampered with.

Implementing these best practices should help resolve the issues flagged by Fortify in your AEM 6.5 environment.

Avatar

Level 3

Thanks @HrishikeshKa  .

 

For the inputs. I will make the changes validate and update you again on this.

 

Regards,

Srinivas

Avatar

Level 3

Hi @HrishikeshKa ,

 

Issue 1 is resolved.

Issue2: still present

 

I have added as suggested for the input field, but still it shows as an issue in  fortify reports. What could I do resolve the issues, Please suggest.
<input type="hidden" name="nonSensitiveParameter" value="12345" />
 
And have added servlet validation also
 
protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException {
   String hiddenFieldValue = request.getParameter("nonSensitiveParameter");
   // Validate the hidden field value
    if (hiddenFieldValue != null) {
        // Process the form
}else {
        // Handle invalid input        
}
 
 
Regards,
Srinivas

Avatar

Correct answer by
Level 9

HI @Srinivas_Opti ,

If you have already implemented the suggested solution for the hidden field issue and are still seeing it flagged in Fortify reports, there may be other factors contributing to the issue. Here are some additional steps you can take to further investigate and resolve the issue:

1. Check the Fortify report for more details: The Fortify report should provide more information about the specific issue and the reason it was flagged. Review the report to see if there are any additional details that can help you identify the root cause of the issue.

2. Verify that the validation is working correctly: Double-check that the server-side validation is working as expected. You can add debug logging or use a debugger to step through the code and verify that the validation logic is being executed correctly.

3. Consider other sources of input: Hidden fields are not the only source of input that can be manipulated by attackers. Check if there are other input fields in your form that could be manipulated and ensure that they are validated on the server-side.

4. Review your code for other security issues: Fortify scans can flag multiple security issues in your code. Review your code for other security issues and address them as necessary.

5. Seek expert assistance: If you are still unable to resolve the issue, consider seeking assistance from a security expert or a Fortify consultant who can help you identify and address the root cause of the issue.

By following these steps, you should be able to identify and resolve the hidden field issue flagged by Fortify in your AEM 6.5 environment.