hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3294 from ggolawski/ognl-injection

Browse Source 
CodeQL query to detect OGNL injections
This commit is contained in:
Anders Schack-Mulligen
2020-06-30 09:46:02 +02:00
committed by GitHub
parent b57cfc965a aff0e0eb25
commit 13cb853af5
14 changed files with 397 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.expected Normal file
View File

@@ -0,0 +1,48 @@
edges
| OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:13:19:13:22 | tree |
| OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:14:19:14:22 | tree |
| OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:16:17:16:27 | (...)... : Object |
| OgnlInjection.java:16:17:16:27 | (...)... : Object | OgnlInjection.java:17:5:17:8 | node |
| OgnlInjection.java:16:17:16:27 | (...)... : Object | OgnlInjection.java:18:5:18:8 | node |
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:23:19:23:22 | tree |
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:24:19:24:22 | tree |
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:26:5:26:8 | tree |
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:27:5:27:8 | tree |
| OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:31:19:31:22 | expr |
| OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:32:19:32:22 | expr |
| OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:37:19:37:22 | expr |
| OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:38:19:38:22 | expr |
| OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:39:31:39:34 | expr |
nodes
| OgnlInjection.java:11:39:11:63 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:13:19:13:22 | tree | semmle.label | tree |
| OgnlInjection.java:14:19:14:22 | tree | semmle.label | tree |
| OgnlInjection.java:16:17:16:27 | (...)... : Object | semmle.label | (...)... : Object |
| OgnlInjection.java:17:5:17:8 | node | semmle.label | node |
| OgnlInjection.java:18:5:18:8 | node | semmle.label | node |
| OgnlInjection.java:21:41:21:65 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:23:19:23:22 | tree | semmle.label | tree |
| OgnlInjection.java:24:19:24:22 | tree | semmle.label | tree |
| OgnlInjection.java:26:5:26:8 | tree | semmle.label | tree |
| OgnlInjection.java:27:5:27:8 | tree | semmle.label | tree |
| OgnlInjection.java:30:40:30:64 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:31:19:31:22 | expr | semmle.label | expr |
| OgnlInjection.java:32:19:32:22 | expr | semmle.label | expr |
| OgnlInjection.java:35:26:35:50 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:37:19:37:22 | expr | semmle.label | expr |
| OgnlInjection.java:38:19:38:22 | expr | semmle.label | expr |
| OgnlInjection.java:39:31:39:34 | expr | semmle.label | expr |
#select
| OgnlInjection.java:13:19:13:22 | tree | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:13:19:13:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
| OgnlInjection.java:14:19:14:22 | tree | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:14:19:14:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
| OgnlInjection.java:17:5:17:8 | node | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:17:5:17:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
| OgnlInjection.java:18:5:18:8 | node | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:18:5:18:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
| OgnlInjection.java:23:19:23:22 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:23:19:23:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
| OgnlInjection.java:24:19:24:22 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:24:19:24:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
| OgnlInjection.java:26:5:26:8 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:26:5:26:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
| OgnlInjection.java:27:5:27:8 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:27:5:27:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
| OgnlInjection.java:31:19:31:22 | expr | OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:31:19:31:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:30:40:30:64 | expr | this user input |
| OgnlInjection.java:32:19:32:22 | expr | OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:32:19:32:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:30:40:30:64 | expr | this user input |
| OgnlInjection.java:37:19:37:22 | expr | OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:37:19:37:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:35:26:35:50 | expr | this user input |
| OgnlInjection.java:38:19:38:22 | expr | OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:38:19:38:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:35:26:35:50 | expr | this user input |
| OgnlInjection.java:39:31:39:34 | expr | OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:39:31:39:34 | expr | OGNL expression might include input from $@. | OgnlInjection.java:35:26:35:50 | expr | this user input |

41
java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.java Normal file
View File

@@ -0,0 +1,41 @@
import ognl.Node;
import ognl.Ognl;
import java.util.HashMap;
import com.opensymphony.xwork2.ognl.OgnlUtil;
import org.springframework.web.bind.annotation.RequestParam;
public class OgnlInjection {
public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
Object tree = Ognl.parseExpression(expr);
Ognl.getValue(tree, new HashMap<>(), new Object());
Ognl.setValue(tree, new HashMap<>(), new Object());
Node node = (Node) tree;
node.getValue(null, new Object());
node.setValue(null, new Object(), new Object());
}
public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
Node tree = Ognl.compileExpression(null, new Object(), expr);
Ognl.getValue(tree, new HashMap<>(), new Object());
Ognl.setValue(tree, new HashMap<>(), new Object());
tree.getValue(null, new Object());
tree.setValue(null, new Object(), new Object());
}
public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
Ognl.getValue(expr, new Object());
Ognl.setValue(expr, new Object(), new Object());
}
public void testStruts(@RequestParam String expr) throws Exception {
OgnlUtil ognl = new OgnlUtil();
ognl.getValue(expr, new HashMap<>(), new Object());
ognl.setValue(expr, new HashMap<>(), new Object(), new Object());
new OgnlUtil().callMethod(expr, new HashMap<>(), new Object());
}
}

1
java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-917/OgnlInjection.ql

1
java/ql/test/experimental/query-tests/security/CWE-917/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22

3
java/ql/test/experimental/stubs/ognl-3.2.14/ognl/JavaSource.java Normal file
View File

@@ -0,0 +1,3 @@
package ognl;
public interface JavaSource {}

6
java/ql/test/experimental/stubs/ognl-3.2.14/ognl/Node.java Normal file
View File

@@ -0,0 +1,6 @@
package ognl;
public interface Node extends JavaSource {
public Object getValue(OgnlContext context, Object source) throws OgnlException;
public void setValue(OgnlContext context, Object target, Object value) throws OgnlException;
}

26
java/ql/test/experimental/stubs/ognl-3.2.14/ognl/Ognl.java Normal file
View File

@@ -0,0 +1,26 @@
package ognl;
import java.util.*;
public abstract class Ognl {
public static Object parseExpression(String expression) throws OgnlException {
return new Object();
}
public static Object getValue(Object tree, Map context, Object root) throws OgnlException {
return new Object();
}
public static void setValue(Object tree, Object root, Object value) throws OgnlException {}
public static Node compileExpression(OgnlContext context, Object root, String expression)
throws Exception {
return null;
}
public static Object getValue(String expression, Object root) throws OgnlException {
return new Object();
}
public static void setValue(String expression, Object root, Object value) throws OgnlException {}
}

71
java/ql/test/experimental/stubs/ognl-3.2.14/ognl/OgnlContext.java Normal file
View File

@@ -0,0 +1,71 @@
package ognl;
import java.util.*;
public class OgnlContext extends Object implements Map {
@Override
public int size() {
return 0;
}
@Override
public boolean isEmpty() {
return false;
}
@Override
public boolean containsKey(Object key) {
return true;
}
@Override
public boolean containsValue(Object value) {
return true;
}
@Override
public Object get(Object key) {
return new Object();
}
@Override
public Object put(Object key, Object value) {
return new Object();
}
@Override
public Object remove(Object key) {
return new Object();
}
@Override
public void putAll(Map t) { }
@Override
public void clear() {}
@Override
public Set keySet() {
return new HashSet();
}
@Override
public Collection values() {
return new HashSet();
}
@Override
public Set entrySet() {
return new HashSet();
}
@Override
public boolean equals(Object o) {
return true;
}
@Override
public int hashCode() {
return 0;
}
}

3
java/ql/test/experimental/stubs/ognl-3.2.14/ognl/OgnlException.java Normal file
View File

@@ -0,0 +1,3 @@
package ognl;
public class OgnlException extends Exception {}

16
java/ql/test/experimental/stubs/struts2-core-2.5.22/com/opensymphony/xwork2/ognl/OgnlUtil.java Normal file
View File

@@ -0,0 +1,16 @@
package com.opensymphony.xwork2.ognl;
import java.util.*;
import ognl.OgnlException;
public class OgnlUtil {
public Object getValue(final String name, final Map<String, Object> context, final Object root) throws OgnlException {
return new Object();
}
public void setValue(final String name, final Map<String, Object> context, final Object root, final Object value) throws OgnlException {}
public Object callMethod(final String name, final Map<String, Object> context, final Object root) throws OgnlException {
return new Object();
}
}