Rule Security Analyzer

To make Pega Platform applications more secure, you can run the Rule Security Analyzer. This tool searches through non-autogenerated rules to find specific JavaScript or SQL coding patterns that match regular expression rules, some of which might indicate security vulnerabilities, as detailed below.

To use the analyzer, you must have the pxSecurityVA privilege in your access group's role. Standard developer roles such as SysAdm4 include this privilege.

Note that:

  • The Rule Security Analyzer tool examines only custom code, not autogenerated rules.
  • Blocked rules are ignored. These rules are identified by the property .pyRuleAvailable = "Blocked".
  • The tool scans rules in your own applications, not rules in standard Pega Platform rulesets.

The Rule Security Analyzer tool finds potential security vulnerabilities in code by searching for matches to regular expressions that are defined in Rule Analyzer Regular Expression rules. The system provides the following standard regular expressions. You can supplement these standard regular expressions with regular expressions that you create.

Expression Name Description
pyCrossSiteScriptingActiveValue Finds possible cross-site scripting vulnerabilities from unencoded output to the browser. Calls to tools.getActiveValue() should be wrapped in StringUtils.crossScriptingFilter or converted to the appropriate non-string value. For example, the following expressions are allowed:
  • String x = StringUtils.crossScriptingFilter(tools.getActiveValue())
  • int y = Integer.parseInt(tools.getActiveValue())

For more information, see the Pega Community article Best practices to avoid cross-site scripting (XSS) vulnerabilities.

pyCrossSiteScriptingFromParam Finds possible cross-site scripting vulnerabilities from unencoded output to the browser. Calls to tools.getParamValue() should be wrapped in StringUtils.crossScriptingFilter or converted to the appropriate non-string value. For example, the following expressions are allowed:
  • String x = StringUtils.crossScriptingFilter(tools.getParamValue("x"))
  • int y = Integer.parseInt(tools.getParamValue("y"))

For more information, see the Pega Community article Best practices to avoid cross-site scripting (XSS) vulnerabilities.

pyDatabase This is an old version of the pySQLInjection rule, which is described below. Finds direct calls to the database, for example: executeRDB(), createRDBListSpec(), RDBExecute().
pyLogStatements Rules that call oLog or System are flagged, and should be reviewed manually to ensure that no critical or confidential data is logged.
pySQLInjection Finds patterns and APIs that might inject unfiltered user input to an SQL query. Direct SQL queries that could be maliciously modified at run time should not be allowed, for example: executeRDB(), createRDBListSpec(), RDBExecute(), executeDBSchemaUpdates(). Validate all input from the user and use parameterized queries with bind variables where possible.
pySystemCall Finds system calls, for example: getRuntime(), ProcessBuilder. These calls are permitted but should be manually reviewed.
pyUnsafeURL To prevent data from being misinterpreted as having a special meaning, finds URLs and query parameters that are not encoded.
pyXMLExternalEntity Finds instances of XML parsing with DocumentBuilderFactory or XMLInputFactory (among others) that are not protected against XML External Entity (XXE) attack vectors. For a complete list of the validations performed by this rule, see the GitHub web site for OWASP CheatSheetSeries (XML_External_Entity_Prevention_Cheat_Sheet.md). For example, the following are considered safe when using DocumentBuilder.newInstance():
  • setExpandedEntityReferences(false)
  • setFeature("http://apache.org/xml/features/disallow-doctype-decl",true)
  • setFeature("http://xml.org/sax/features/external-general-entities",false)

The following regular expressions are also provided and can be used with the analyzer, although they are not specifically related to security.

Expression Name Description
pyCustomJS Finds rules that attempt to obtain node information and other information that might interfere with an upgrade. For example, rules cannot contain expressions such as CHILDNODES, PARENTNODE, FIRSTCHILD, LASTCHILD, NEXTSIBLING, PREVIOUSSIBLING, and so forth.
pyGetThreadInRules Finds references to getThread().
pyNbspInDSDefaultCaption Finds DynamicSelect controls that contain a default caption that includes &nbsp.
pyNbspInSections Finds controls that contain the value &nbsp.
pyUnsafeURL Finds dynamic generation of URLs that do not use the encoding API.