Tuesday 20 November 2012

Auditing Java code, or IntelliJ IDEA as poor man's Fortify

This Twitter exchange got me to look at IDEA. The below are a few tips and config files that can get you started with using IDEA for manual audits. IMHO the results will be close to what you get from commercial code scanner, albeit slightly slower :)

IntelliJ features useful for code auditing

  1. "Analyze" ->"Data flow to here" or "Data flow from here" https://www.jetbrains.com/idea/webhelp/analyzing-data-flow.html
  2. "Analyze" -> "Inspect code"(next section below)
  3. All kinds of source navigation - to definition, to usages etc. Shortcuts below.

Custom code inspections

One of good starting points for basic concepts of code audits is Chapter 19 of "Web Application Hacker's Handbook" 2ed. You obviously have to have a clue what this security thing is all about, and this post is not an audit tutorial.

I've created some custom inspections for IDEA, as its original "Security" set is quite arbitrary and if it targets anything, it is applets, not web apps. My inspection policies are based on the WAHH2E book and are geared towards identifying user input, dodgy file operations and so on.

You can get the policies from https://github.com/agelastic/intellij-code-audit

Installing the inspection policies

Open Options / Inspections. Import the policy you want to use (the full policy may produce a lot of results on very large projects, e.g. full Confluence produces about 2000 results, so I made partial policies as well), check "Share Profile", or you won't be able to use this policy.

Configuring custom code inspections in IDEA
Each of my inspection configs contains a single enabled item - "General"/"Structural Search Inspection" with a number of templates.

TIP: For some reason IntelliJ sometimes ignores the imported policy and as a result you will have no findings. What seems to work is to scan the code with any builtin policy, for example, "Default", and then run the security one. If you do not see the "Inspecting code..." progress window, then analysis did not happen.

Templates will find points in code that are interesting for security auditor - HTTP parameters, file access, sessions, SQL queries, etc. Then you can use data flow analysis (point 1 in the list above) or simply navigate through source (below).

Running an analysis

Open "Analyze" / "Inspect code", select the policy, scope etc, run, check results. There are various ways of marking things as reviewed - see "suppress" options in the results pane. They are the same as with any other alerts produced by code inspection engine.

It may be useful (depending on a kind of the finding) to investigate data flow to and from the found input/output point.

IntelliJ's docs for this feature, which in turn uses very powerful Structural Search & Replace engine are at https://www.jetbrains.com/idea/webhelp/creating-own-inspections.html

Code navigation shortcuts

These are collected from Stackoverflow posts. They are for Mac OS, Windows shortcuts usually have CTRL instead of CMD

Cmd + Shift + A - opens a window where you can search for GUI commands
Cmd + Alt + Left to get back, Cmd + Alt + Right  to “go forward”
Cmd + B - Go to declaration
Cmd + Alt + B - Go to implementation
Cmd + U - Go to super-method/super-class
Cmd + Alt + F7 - Show usages
Cmd + N - Go to class
Cmd + P - Parameter info
Cmd-F - Find, F3/Shift + F3 - Find next/previous, Ctrl + Shift + F - Find in path
F2/Shift + F2 - Next/previous highlighted error
Cmd + E - recently used files
Cmd + P - Parameter info
Ctrl + Shift + Q - Context info
Ctrl + J - Quick documentation

Learning shortcuts

There is a great plugin that will teach you shortcuts fast - Key Promoter. Any time you do something with menus, it will show you what shortcut you could use to achieve the same effect.

Bonus: Code Reviewing Web App Framework Based Applications