Merge pull request #3945 from porcupineyhairs/structsDevMode

Java: Add query to detect Apache Struts enabled Devmode

java/ql/src/experimental/Security/CWE/CWE-489/StrutsBad.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+	"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+	"http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+    <constant name="struts.enable.DynamicMethodInvocation" value="true" />
+    <constant name="struts.devMode" value="true" />
+    <constant name="struts.i18n.encoding" value="utf-8" />
+    <include file="login.xml" />
+</struts>

java/ql/src/experimental/Security/CWE/CWE-489/StrutsGood.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+	"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+	"http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+    <constant name="struts.enable.DynamicMethodInvocation" value="true" />
+    <constant name="struts.devMode" value="false" />
+    <constant name="struts.i18n.encoding" value="utf-8"></constant>
+    <include file="login.xml" />
+</struts>

java/ql/src/experimental/Security/CWE/CWE-489/devMode.qhelp

@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Turning Apache Struts' development mode configuration on while deploying applications to production environments can lead to remote code execution.</p>
+
+</overview>
+<recommendation>
+
+<p>An application should disable the development mode at the time of deployment.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows a `struts.xml` file with `struts.devmode` enabled.</p>
+
+<sample src="StrutsBad.xml" />
+
+<p>This can be easily corrected by setting the value of the `struts.devmode` parameter to false.</p>
+
+<sample src="StrutsGood.xml" />
+
+</example>
+<references>
+
+<li>
+  Apache Struts:
+  <a href="https://struts.apache.org/core-developers/development-mode.html">Struts development mode configuration</a>
+</li>
+
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Apache Struts development mode enabled
+ * @description Enabling struts development mode in production environment
+ *  can lead to remote code execution.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/struts-development-mode
+ * @tags security
+ *       external/cwe/cwe-489
+ */
+
+import java
+import experimental.semmle.code.xml.StrutsXML
+
+bindingset[path]
+predicate isLikelyDemoProject(string path) { path.regexpMatch("(?i).*(demo|test|example).*") }
+
+from ConstantParameter c
+where
+  c.getNameValue() = "struts.devMode" and
+  c.getValueValue() = "true" and
+  not isLikelyDemoProject(c.getFile().getRelativePath())
+select c, "Enabling development mode in production environments is dangerous"

java/ql/src/experimental/semmle/code/xml/StrutsXML.qll

@@ -0,0 +1,40 @@
+import java
+
+/**
+ * A deployment descriptor file, typically called `struts.xml`.
+ */
+class StrutsXMLFile extends XMLFile {
+  StrutsXMLFile() {
+    count(XMLElement e | e = this.getAChild()) = 1 and
+    this.getAChild().getName() = "struts"
+  }
+}
+
+/**
+ * An XML element in a `StrutsXMLFile`.
+ */
+class StrutsXMLElement extends XMLElement {
+  StrutsXMLElement() { this.getFile() instanceof StrutsXMLFile }
+
+  /**
+   * Gets the value for this element, with leading and trailing whitespace trimmed.
+   */
+  string getValue() { result = allCharactersString().trim() }
+}
+
+/**
+ * A `<constant>` element in a `StrutsXMLFile`.
+ */
+class ConstantParameter extends StrutsXMLElement {
+  ConstantParameter() { this.getName() = "constant" }
+
+  /**
+   * Gets the value of the `name` attribute of this `<constant>`.
+   */
+  string getNameValue() { result = getAttributeValue("name") }
+
+  /**
+   * Gets the value of the `value` attribute of this `<constant>`.
+   */
+  string getValueValue() { result = getAttributeValue("value") }
+}