Java Security Analysis for IntelliJ IDEA19 Mar 2019 by Julian Karl, Amin Dada
Detecting vulnerabilities as early as possible in the development process is crucial to minimize the costs of security flaws. With the help of our IntelliJ IDEA plugin, RIPS leading Java code analysis can be fully integrated into your developer editor to detect and resolve security issues in real-time. In this blog post, we introduce new plugin features and present a typical use case.
New Plugin Features
In the course of our last releases, we added various new functionalities and improved existing ones to enhance the quality of our IntelliJ plugin. These include support for analyzing Java code, support for multi-module projects, tracking and commenting of issues, and the option to save general settings on an application level.
We started this year with a major RIPS release 3.0. We added a completely new analysis engine to RIPS that is specifically designed to find security flaws in Java code. The engine adopts our award-winning static code analysis algorithms and applies them to Java. It scans for over 60 critical security vulnerability types and more than 20 security-related code quality issues. It already detected multiple previously unknown security vulnerabilities in popular open-source software that will be released soon (stay up-to-date). Our new IntelliJ plugin allows to seamlessly integrate our new Java engine and its reports into your workflow when developing Java applications.
One of our favorite new features is issue tracking. It ensures that the position of issues in your code is not lost when your code base changes after the last scan. This is a very useful feature since it persists all issues for a specific scan even if you restart your IDE. Before, code changes could sometimes lead to mismatching sinks, sources, or concats and therefore to unnecessary additional scans to readjust the positions. This is no longer necessary due to the issue tracking feature.
Another new feature is the multi-module project support. It enables you to select the root-module or each sub-module individually for each scan. This is especially useful for large projects as it might make sense to only scan the part of your project you are currently working on. This can save a lot of time when you are working on a complex project with various modules. Naturally, you can still scan the entire project by simply selecting the root-module. Our plugin detects all modules automatically and presents them in a drop-down menu for easy selection.
Our plugin offers an intuitive interface to review the detected security vulnerabilities of a scan. It groups the vulnerabilities by their types and ranks these by their severity. When selecting an issue you can either jump to the corresponding line of code or review and comment the issue. Different review labels can be assigned to a vulnerability to track and coordinate the review process in your team. All review labels and comments are synchronized with RIPS in real-time and are available to other IntelliJ plugin or RIPS UI users immediately.
Case Study: Path Traversal in Google’s OpenRefine
A recently reported path traversal vulnerability in Google’s OpenRefine 3.0 allowed attackers to write files to arbitrary locations. It was caused by the use of an unsanitized path during the extraction of a ZIP archive. In the following we will use this vulnerability as an example on how to use our IntelliJ RIPS plugin to efficiently detect security issues in Java code.
We clone the OpenRefine 3.0 repository that is affected by this issue and import the project into IntelliJ IDEA. Our plugin displays all modules and we select the parent-module “openrefine” to scan the entire application. Then, we simply start a new security scan with RIPS by clicking on the button on the left-hand side of the dropdown.
The code in the IntelliJ editor will now be send to the RIPS server for analysis (on-premises or SaaS). As soon as RIPS detects a new security issue with a severity level of high or critical, a notification will pop up to ensure that the most dangerous issues are prioritized.
The complete scan finishes after only 3 minutes. Amongst others, RIPS has detected multiple path traversal vulnerabilities based on the data flow of different input sources and sensitive file operations.
Let’s investigate the second, highlighted path traversal issue. We can directly jump into the affected code lines of the vulnerability in the IntelliJ editor.
The source of malicious user input is
ZipEntry.getName() which returns the name of a file extracted from a ZIP archive (line 657). If this archive is under an attackers controls he can prepare an archive with malicious file names. The file name is then passed on to the method
allocateFile() in the next line 658.
In the method
allocateFile(), the file name is then used unsanitized within a new
java.io.File constructor: the sink of our vulnerability. Our plugin highlights a Path Traversal vulnerability because RIPS analyzed the data flow and found that this constructor can be malformed by an attacker.
For example, a modified ZIP archive can hold files named
../../../backdoor.sh which would lead to an arbitrary file write in the file system. All this information, and more, is provided in our plugin’s issue summary and description.
The new version of our IntelliJ plugin is an extremely useful and broadly applicable tool for developers and security researchers to find, report, and fix security vulnerabilities in Java and PHP code. It integrates seamlessly into the well-known IDEs IntelliJ IDEA and PhpStorm and can be used intuitively for a great number of different tasks. It supports the detection of security issues in the earliest stage of the development process which reduces the time expenditure and the costs to resolve issues.