Skip to main content

Analyzing security vulnerability search results

Suggest edit Updated on July 1, 2021

To make Pega Platform applications more secure, you can run the Rule Security Analyzer. This tool searches through non-autogenerated rules to find specific JavaScript or SQL coding patterns that match regular expression rules, some of which might indicate security vulnerabilities, as detailed below.

To use the analyzer, you must have the pxSecurityVA privilege in your access group's role. Standard developer roles such as SysAdm4 include this privilege.

Note:

  • The Rule Security Analyzer tool examines only custom code, not autogenerated rules.
  • Blocked rules are ignored. These rules are identified by the property .pyRuleAvailable = "Blocked".
  • The tool scans rules in your own applications, not rules in standard Pega Platform rulesets.

The Rule Security Analyzer tool finds potential security vulnerabilities in code by searching for matches to regular expressions that are defined in Rule Analyzer Regular Expression rules. The system provides the following standard regular expressions. You can supplement these standard regular expressions with regular expressions that you create.

Expression NameDescription
pyCrossSiteScriptingActiveValueFinds possible cross-site scripting vulnerabilities from unencoded output to the browser. Calls to tools.getActiveValue() should be wrapped in StringUtils.crossScriptingFilter or converted to the appropriate non-string value. For example, the following expressions are allowed:
  • String x = StringUtils.crossScriptingFilter(tools.getActiveValue())
  • int y = Integer.parseInt(tools.getActiveValue())

For more information, see Understanding cross-site scripting.

pyCrossSiteScriptingFromParamFinds possible cross-site scripting vulnerabilities from unencoded output to the browser. Calls to tools.getParamValue() should be wrapped in StringUtils.crossScriptingFilter or converted to the appropriate non-string value. For example, the following expressions are allowed:
  • String x = StringUtils.crossScriptingFilter(tools.getParamValue("x"))
  • int y = Integer.parseInt(tools.getParamValue("y"))

For more information, see Understanding cross-site scripting.

pyDatabaseThis is an old version of the pySQLInjection rule, which is described below. Finds direct calls to the database, for example: executeRDB(), createRDBListSpec(), RDBExecute().
pyLogStatementsRules that call oLog or System are flagged, and should be reviewed manually to ensure that no critical or confidential data is logged.
pySQLInjectionFinds patterns and APIs that might inject unfiltered user input to an SQL query. Direct SQL queries that could be maliciously modified at run time should not be allowed, for example: executeRDB(), createRDBListSpec(), RDBExecute(), executeDBSchemaUpdates(). Validate all input from the user and use parameterized queries with bind variables where possible.
pySystemCallFinds system calls, for example: getRuntime(), ProcessBuilder. These calls are permitted but should be manually reviewed.
pyUnsafeURLTo prevent data from being misinterpreted as having a special meaning, finds URLs and query parameters that are not encoded.
pyXMLExternalEntityFinds instances of XML parsing with DocumentBuilderFactory or XMLInputFactory (among others) that are not protected against XML External Entity (XXE) attack vectors. For a complete list of the validations performed by this rule, see the GitHub web site for OWASP Cheat Sheet Series (XML_External_Entity_Prevention_Cheat_Sheet.md). For example, the following are considered safe when using DocumentBuilder.newInstance():
  • setExpandedEntityReferences(false)
  • setFeature("http://apache.org/xml/features/disallow-doctype-decl",true)
  • setFeature("http://xml.org/sax/features/external-general-entities",false)

The following regular expressions are also provided and can be used with the analyzer, although they are not specifically related to security.

Expression NameDescription
pyCustomJSFinds rules that attempt to obtain node information and other information that might interfere with an upgrade. For example, rules cannot contain expressions such as CHILDNODES, PARENTNODE, FIRSTCHILD, LASTCHILD, NEXTSIBLING, PREVIOUSSIBLING, and so forth.
pyGetThreadInRulesFinds references to getThread().
pyNbspInDSDefaultCaptionFinds DynamicSelect controls that contain a default caption that includes  .
pyNbspInSectionsFinds controls that contain the value  .
pyUnsafeURLFinds dynamic generation of URLs that do not use the encoding API.
Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us