Analyzing security vulnerability search results
To make Pega Platform applications more secure, you can run the Rule Security Analyzer. This tool searches through non-autogenerated rules to find specific JavaScript or SQL coding patterns that match regular expression rules, some of which might indicate security vulnerabilities, as detailed below.
To use the analyzer, you must have the pxSecurityVA privilege in your access group's role. Standard developer roles such as SysAdm4 include this privilege.
- The Rule Security Analyzer tool examines only custom code, not autogenerated rules.
- Blocked rules are ignored. These rules are identified by the property
.pyRuleAvailable = "Blocked"
. - The tool scans rules in your own applications, not rules in standard Pega Platform rulesets.
The Rule Security Analyzer tool finds potential security vulnerabilities in code by searching for matches to regular expressions that are defined in Rule Analyzer Regular Expression rules. The system provides the following standard regular expressions. You can supplement these standard regular expressions with regular expressions that you create.
Expression Name | Description |
pyCrossSiteScriptingActiveValue | Finds possible cross-site scripting vulnerabilities from unencoded output to the
browser. Calls to tools.getActiveValue() should be wrapped in
StringUtils.crossScriptingFilter or converted to the appropriate
non-string value. For example, the following expressions are allowed:
For more information, see Understanding cross-site scripting. |
pyCrossSiteScriptingFromParam | Finds possible cross-site scripting vulnerabilities from unencoded output to the
browser. Calls to tools.getParamValue() should be wrapped in
StringUtils.crossScriptingFilter or converted to the appropriate
non-string value. For example, the following expressions are allowed:
For more information, see Understanding cross-site scripting. |
pyDatabase | This is an old version of the pySQLInjection rule, which is
described below. Finds direct calls to the database, for example:
executeRDB() , createRDBListSpec() ,
RDBExecute() . |
pyLogStatements | Rules that call oLog or System are flagged, and
should be reviewed manually to ensure that no critical or confidential data is
logged. |
pySQLInjection | Finds patterns and APIs that might inject unfiltered user input to an SQL query.
Direct SQL queries that could be maliciously modified at run time should not be
allowed, for example: executeRDB() ,
createRDBListSpec() , RDBExecute() ,
executeDBSchemaUpdates() . Validate all input from the user and use
parameterized queries with bind variables where possible. |
pySystemCall | Finds system calls, for example: getRuntime() ,
ProcessBuilder . These calls are permitted but should be manually
reviewed. |
pyUnsafeURL | To prevent data from being misinterpreted as having a special meaning, finds URLs and query parameters that are not encoded. |
pyXMLExternalEntity | Finds instances of XML parsing with DocumentBuilderFactory or
XMLInputFactory (among others) that are not protected against XML
External Entity (XXE) attack vectors. For a complete list of the validations performed
by this rule, see the GitHub web site for OWASP Cheat Sheet Series
(XML_External_Entity_Prevention_Cheat_Sheet.md ). For example,
the following are considered safe when using
DocumentBuilder.newInstance() :
|
The following regular expressions are also provided and can be used with the analyzer, although they are not specifically related to security.
Expression Name | Description |
pyCustomJS | Finds rules that attempt to obtain node information and other information that
might interfere with an upgrade. For example, rules cannot contain expressions such as
CHILDNODES , PARENTNODE ,
FIRSTCHILD , LASTCHILD ,
NEXTSIBLING , PREVIOUSSIBLING , and so
forth. |
pyGetThreadInRules | Finds references to getThread() . |
pyNbspInDSDefaultCaption | Finds DynamicSelect controls that contain a default caption that includes
  . |
pyNbspInSections | Finds controls that contain the value   . |
pyUnsafeURL | Finds dynamic generation of URLs that do not use the encoding API. |
Previous topic Searching for security vulnerabilities in rules Next topic Security guidelines for custom HTML