Question
Accenture
AU
Last activity: 2 Mar 2023 6:18 EST
Access Control Health Check tool seems to be throwing false positives
As a part of our app build we generally run the "Access Control Check" utility to detect potential security issues, the utility is throwing warnings for the following 2 lines
String captchaURL = baseURL + "?" + pega_rules_utilities.pzEncryptURLActionString(tools, "Requestor", "pyActivity=Code-Security.pyGenerateCaptcha");
String cacheManifestURL = baseURL + "?" + pega_rules_utilities.pzEncryptURLActionString(tools, "Requestor", "pyActivity=Code-Security.pzGenerateLoginCacheManifest");
If anyone has an idea how to resolve this issue can you please help , to me this looks like a false positive since the code is using pzEncryptURLActionString which should register the url and avoid security issue.
Is the tool at fault or are we missing something.
***Edited by Moderator Marissa to add Support Case Details***
Accepted Solution
Updated: 15 Mar 2022 17:08 EDT
Pegasystems Inc.
GB
There is an issue with the code that blocks unregistered requests pyBlockUnregisteredRequests and issues with switching apps. (BUG-623496 as reference)
To fix this we have added changes to reset BAC flags when Access group changes.
These changes are available in 8.6 version.
Accenture
AU
@KAUSTAV.DUTTAanyone has any suggestions
Updated: 15 Mar 2022 4:16 EDT
Lloyds Banking Group PLC
GB
@KAUSTAV.DUTTA - have you since understood/been given an explanation on why the above lines were captured as issues in the access control check utility?
Accenture
AU
While there was no official response we have since found that this was a false positive. The Access Control Health Check tool relies on 2 regx rules pySafeURLAndActivity and pyReferencingRules , we ended up tuning them to our security concerns .
Since the tuning would be org specific so i'd recommend that you work with your internal security team to refine the regx's to your organization's security needs.
Accepted Solution
Updated: 15 Mar 2022 17:08 EDT
Pegasystems Inc.
GB
There is an issue with the code that blocks unregistered requests pyBlockUnregisteredRequests and issues with switching apps. (BUG-623496 as reference)
To fix this we have added changes to reset BAC flags when Access group changes.
These changes are available in 8.6 version.
Lloyds Banking Group PLC
GB
@MarijeSchillern We are on 8.7 and can see the same behavior in it where lines with pzEncryptURLActionString are captured as areas of vulnerabilities to be fixed. Attached screenshot as an example.
Pegasystems Inc.
GB
@LEELABIRAMS6337 this may be a different scenario.
Could I ask you to log that as a Support Incident in MSP?
Feel free to inform us of the INC number so that we can help track progress on it.
Lloyds Banking Group PLC
GB
@MarijeSchillern INC-216657
Pegasystems Inc.
US
Thanks @LEELABIRAMS6337!
I have updated your post with the Incident information and connected this post to the Incident in My Support Portal.
Pegasystems Inc.
GB
Outcome of the Pega j8.7 question logged in INC-216657 (Access control check wizard presents unexpected results)
Root cause description:
Access Control check is to identify the rule which may introduce risk.
One of the regular expressions used in this Access control check is pySafeURLAndActivity which to check whether the rule is containing plaintext -pyActivity or unsafeUrl.
Solution type: Explanation
Access Control check is to identify the rule which may introduce risk.
One of the regular expressions used in this Access control check is pySafeURLAndActivity which checks whether the rule is containing plaintext -pyActivity or unsafeUrl. That is why you can see the rules which are already handled. So you can ignore if the result returns the handled rule.
And if you don't want to see the handled activity in this check, you can extend pySafeURLAndActivity as this is an available rule.
https://docs-previous.pega.com/security/86/using-access-control-checks