We have implemented Aspose.Cells for Java in one of the application and did security test (SAST + VAPT test) before production deployment. During test, Fortify tool raised below error (Common Weakness enumeration - CWE - CWE-114: Process Control (4.13) ):
CWE-114 Process Control Untrusted Search Path
Description
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.
Extended Description
Process control vulnerabilities take two forms: 1. An attacker can change the command that the program executes: the attacker explicitly controls what the command is. 2. An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
Please advise how to resolve this error as this is needed for moving error free application to production server after successful SAST test.
@gaurav.saxena,
We have understood the issue but we need to look into it more. We have logged the issue in our database for investigation and for a fix(if possible). Once, we will have some news for you, we will update you in this topic.
This issue has been logged as
CELLSJAVA-42972 – SAST testing issue (CWE -114 - untrusted) with Aspose cells
Thanks for the update. Just to add that this has been tested with one dev one system paid license of aspose cells. Need the resolution at the earliest as we need to plan for production deployment.
@gaurav.saxena,
We have recorded your concern along with the logged ticket however as this issue is logged too recently, therefore you may please spare us little time to reproduce and investigate this issue. We will write back here as soon as some feedback is ready to share.
Hi team,
Can i have further update on this issue?
It is impacting our production deployment now as we cannot close the security issue reported with aspose library. Last option i will have is to remove aspose integration from the project.
@gaurav.saxena,
We have checked our library with other tools such as spotbugs and plugins and found some CWE-xxx warnings. Commonly they are caused by file access with user input path. We are planing to enhance our product according to the check result but that needs certain effort and time and we cannot finish it soon. And, because those input are controlled by users who use those APIs of our product, the security risk should be able to be controlled by users too. However, we cannot find the kind of CWE-114. Did your tool give more details about it, such as the classes, methods or invoked other APIs? If so, please provide us those messages which can help us to find and fix the issue earlier before we get other proper tools.