路径规划 强化学习_强化路径处理问题

路径规划 强化学习

目标 (Goal)

The reason for this article is to suggest a solution to Fortify Path Manipulation issues.

本文的目的是为Fortify Path Manipulation问题提供解决方案。

背景 (Background)

Many companies, like my own, use a tool called Fortify to analyze their code. Fortify is an HP application that finds memory leaks and security threats. It is likely the most popular and well known tool for these purposes. Companies use it to improve the quality of their code and to prepare for third party audits. There are some Fortify links at the end of the article for your reference.

与我自己的公司一样，许多公司都使用名为Fortify的工具来分析其代码。 Fortify是一个HP应用程序，可以发现内存泄漏和安全威胁。 为此，它可能是最流行和最著名的工具。 公司使用它来提高代码质量并为第三方审核做准备。 本文结尾处有一些Fortify链接供您参考。

One of the common issues reported by Fortify is the Path Manipulation issue. The issue is that if you take data from an external source, then an attacker can use that source to manipulate your path. Thus enabling the attacker do delete files or otherwise compromise your system.

Fortify报告的常见问题之一是路径操纵问题。 问题是，如果您从外部来源获取数据，则攻击者可以使用该来源来操纵您的路径。 因此，使攻击者能够删除文件或以其他方式破坏您的系统。

Like many other people I found this issue in my code and did a search on the internet for a resolution. The most common proposal was to use the Java class FileSystems in the nio package to process the path. The intention is to obfuscate the fact that the path is coming from an external source. While this sometimes works, it does nothing to address the real issue. 

像许多其他人一样，我在代码中发现了此问题，并在互联网上进行了搜索以寻求解决方案。 最常见的建议是使用nio包中的Java类FileSystems处理路径。 目的是混淆路径来自外部来源的事实。 尽管有时这是可行的，但却无法解决实际问题。

The Fortify suggested remedy to this problem is to use a white-list of trusted directories as valid inputs and reject everything else. This solution is not always viable in a production environment because you can't always control where the client will be deploying your application. In my company's situation, we can't control where the client keeps their source data. So, we need to support the flexibility of specifying a directory path during execution. In this situation, and list of valid paths will not work.

Fortify建议的解决此问题的方法是使用受信任目录的白名单作为有效输入，并拒绝其他所有内容。 该解决方案在生产环境中并不总是可行的，因为您无法始终控制客户端将在何处部署应用程序。 在我公司的情况下，我们无法控制客户将源数据保存在何处。 因此，我们需要支持在执行过程中指定目录路径的灵活性。 在这种情况下，有效路径列表将不起作用。

解决方案 (The Solution)

I am putting forward an alternative remedy. 

我正在提出另一种补救办法。

Allow the user to enter the path and parse the input for a white-list of acceptable characters. Reject from the input, any character you don't want in the path. It could be either removed or replaced. This approach gives you control over what the user can input while still allowing them the flexibility they need to specify their data and configuration.

允许用户输入路径并解析输入以获取可接受字符的白名单。 从输入中拒绝路径中不需要的任何字符。 它可以被删除或替换。 这种方法使您可以控制用户可以输入的内容，同时仍然可以让他们灵活地指定数据和配置。

Below is an example. This does pass the Fortify review. It is important to remember here to return the literal and not the char being checked. Fortify keeps track of the parts that came from the original input. If you use any of the original input, you may still get the error.

下面是一个例子。 这确实通过了Fortify审查。 重要的是要记住在这里返回文字而不是要检查的字符。 Fortify会跟踪来自原始输入的零件。 如果您使用任何原始输入，您仍然可能会收到错误消息。

Related Links:

相关链接：

Fortify: https://en.wikipedia.org/wiki/Fortify_Software

Fortify： https ： //en.wikipedia.org/wiki/Fortify_Software

HP: https://en.wikipedia.org/wiki/Hewlett-Packard

惠普： https ： //en.wikipedia.org/wiki/惠普

Path Manipulation: https://stackoverflow.com/questions/12690652/how-to-fix-path-manipulation-vulnerability-in-some-java-code

路径操作： https : //stackoverflow.com/questions/12690652/how-to-fix-path-manipulation-vulnerability-in-some-java-code

public class CleanPath {


    public static String cleanString(String aString) {
        if (aString == null) return null;
        String cleanString = "";
        for (int i = 0; i < aString.length(); ++i) {
            cleanString += cleanChar(aString.charAt(i));
        }
        return cleanString;
    }


    private static char cleanChar(char aChar) {
       
       // 0 - 9
       for (int i = 48; i < 58; ++i) {
              if (aChar == i) return (char) i;
       }
       
       // 'A' - 'Z'
       for (int i = 65; i < 91; ++i) {
              if (aChar == i) return (char) i;
       }
       
       // 'a' - 'z'
       for (int i = 97; i < 123; ++i) {
              if (aChar == i) return (char) i;
       }
       
       // other valid characters
        switch (aChar) {
            case '/':
                return '/';
            case '.':
                return '.';
            case '-':
                return '-';
            case '_':
                return '_';
            case ' ':
                return ' ';
        }
        return '%';
    }
} 

翻译自: https://www.experts-exchange.com/articles/30499/Fortify-Path-Manipulation-Issues.html

路径规划 强化学习