Configuring the Java injection check
At design time and at run time, Pega Platform checks activities, functions, and stream rules for particular Java injection vulnerabilities.
Runtime.getRuntime()
new ProcessBuilder()
JavaCompiler
org.dita.dost.invoker
For rules that were created before version 8.3, the system behavior depends upon the value of the dynamic system setting security/enableJavaInjectionMitigation.
- If a vulnerability is found and the dynamic system setting is not defined or is false, the rule runs and security alert SECU0018 appears on the security alert log.
- If a vulnerability is found and the dynamic system setting is true, an error is reported and the rule does not run.
Optional: To check for Java injection vulnerabilities in addition to the
default checks listed above, set the JVM system property named JavaInjection equal
to a Regex pattern to flag as vulnerabilities. For Example:
-DJavaInjection="new Foo()"
Previous topic Mitigate common (OWASP Top 10) security vulnerabilities Next topic Implementing security guidelines for custom HTML