mirror of
https://github.com/github/codeql.git
synced 2026-04-24 08:15:14 +02:00
Merge remote-tracking branch 'upstream/main' into JsonHijacking
This commit is contained in:
haby0
@@ -0,0 +1,120 @@
|
||||
import org.apache.commons.jexl2.*;
|
||||
|
||||
import java.io.StringWriter;
|
||||
import java.net.ServerSocket;
|
||||
import java.net.Socket;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
public class Jexl2Injection {
|
||||
|
||||
private static void runJexlExpression(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
Expression e = jexl.createExpression(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
Expression e = jexl.createExpression(
|
||||
jexlExpr, new DebugInfo("unknown", 0, 0));
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlScript(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
Script script = jexl.createScript(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
script.execute(jc);
|
||||
}
|
||||
|
||||
private static void runJexlScriptViaCallable(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
Script script = jexl.createScript(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
|
||||
try {
|
||||
script.callable(jc).call();
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
jexl.getProperty(new Object(), jexlExpr);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
jexl.setProperty(new Object(), jexlExpr, new Object());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
|
||||
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
|
||||
unifiedJEXL.parse(jexlExpr).prepare(new MapContext());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlEngine();
|
||||
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
|
||||
unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
|
||||
}
|
||||
|
||||
private static void testWithSocket(Consumer<String> action) throws Exception {
|
||||
try (ServerSocket serverSocket = new ServerSocket(0)) {
|
||||
try (Socket socket = serverSocket.accept()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = socket.getInputStream().read(bytes);
|
||||
String jexlExpr = new String(bytes, 0, n);
|
||||
action.accept(jexlExpr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// below are tests for the query
|
||||
|
||||
public static void testWithJexlExpressionEvaluate() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpression);
|
||||
}
|
||||
|
||||
public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionWithJexlInfo);
|
||||
}
|
||||
|
||||
public static void testWithJexlScriptExecute() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlScript);
|
||||
}
|
||||
|
||||
public static void testWithJexlScriptCallable() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlScriptViaCallable);
|
||||
}
|
||||
|
||||
public static void testWithJexlEngineGetProperty() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaGetProperty);
|
||||
}
|
||||
|
||||
public static void testWithJexlEngineSetProperty() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaSetProperty);
|
||||
}
|
||||
|
||||
public static void testWithUnifiedJEXLParseAndEvaluate() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndEvaluate);
|
||||
}
|
||||
|
||||
public static void testWithUnifiedJEXLParseAndPrepare() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLParseAndPrepare);
|
||||
}
|
||||
|
||||
public static void testWithUnifiedJEXLTemplateEvaluate() throws Exception {
|
||||
testWithSocket(Jexl2Injection::runJexlExpressionViaUnifiedJEXLTemplateEvaluate);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,196 @@
|
||||
import java.io.StringWriter;
|
||||
import java.net.ServerSocket;
|
||||
import java.net.Socket;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
import org.apache.commons.jexl3.*;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
|
||||
@Controller
|
||||
public class Jexl3Injection {
|
||||
|
||||
private static void runJexlExpression(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlExpression e = jexl.createExpression(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionWithJexlInfo(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlScript(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlScript script = jexl.createScript(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
script.execute(jc);
|
||||
}
|
||||
|
||||
private static void runJexlScriptViaCallable(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlScript script = jexl.createScript(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
|
||||
try {
|
||||
script.callable(jc).call();
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaGetProperty(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
jexl.getProperty(new Object(), jexlExpr);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaSetProperty(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
jexl.setProperty(new Object(), jexlExpr, new Object());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JxltEngine jxlt = jexl.createJxltEngine();
|
||||
jxlt.createExpression(jexlExpr).evaluate(new MapContext());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JxltEngine jxlt = jexl.createJxltEngine();
|
||||
jxlt.createExpression(jexlExpr).prepare(new MapContext());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JxltEngine jxlt = jexl.createJxltEngine();
|
||||
jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter());
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaCallable(String jexlExpr) {
|
||||
JexlEngine jexl = new JexlBuilder().create();
|
||||
JexlExpression e = jexl.createExpression(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
|
||||
try {
|
||||
e.callable(jc).call();
|
||||
} catch (Exception ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
}
|
||||
|
||||
private static void testWithSocket(Consumer<String> action) throws Exception {
|
||||
try (ServerSocket serverSocket = new ServerSocket(0)) {
|
||||
try (Socket socket = serverSocket.accept()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = socket.getInputStream().read(bytes);
|
||||
String jexlExpr = new String(bytes, 0, n);
|
||||
action.accept(jexlExpr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// below are tests for the query
|
||||
|
||||
public static void testWithJexlExpressionEvaluate() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpression);
|
||||
}
|
||||
|
||||
public static void testWithJexlExpressionEvaluateWithInfo() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionWithJexlInfo);
|
||||
}
|
||||
|
||||
public static void testWithJexlScriptExecute() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlScript);
|
||||
}
|
||||
|
||||
public static void testWithJexlScriptCallable() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlScriptViaCallable);
|
||||
}
|
||||
|
||||
public static void testWithJexlEngineGetProperty() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaGetProperty);
|
||||
}
|
||||
|
||||
public static void testWithJexlEngineSetProperty() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaSetProperty);
|
||||
}
|
||||
|
||||
public static void testWithJxltEngineExpressionEvaluate() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionEvaluate);
|
||||
}
|
||||
|
||||
public static void testWithJxltEngineExpressionPrepare() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineExpressionPrepare);
|
||||
}
|
||||
|
||||
public static void testWithJxltEngineTemplateEvaluate() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaJxltEngineTemplateEvaluate);
|
||||
}
|
||||
|
||||
public static void testWithJexlExpressionCallable() throws Exception {
|
||||
testWithSocket(Jexl3Injection::runJexlExpressionViaCallable);
|
||||
}
|
||||
|
||||
@PostMapping("/request")
|
||||
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(
|
||||
@PathVariable String expr) {
|
||||
|
||||
runJexlExpression(expr);
|
||||
return ResponseEntity.ok(HttpStatus.OK);
|
||||
}
|
||||
|
||||
@PostMapping("/request")
|
||||
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(
|
||||
@RequestBody Data data) {
|
||||
|
||||
String expr = data.getExpr();
|
||||
runJexlExpression(expr);
|
||||
|
||||
return ResponseEntity.ok(HttpStatus.OK);
|
||||
}
|
||||
|
||||
@PostMapping("/request")
|
||||
public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBodyWithNestedObjects(
|
||||
@RequestBody CustomRequest customRequest) {
|
||||
|
||||
String expr = customRequest.getData().getExpr();
|
||||
runJexlExpression(expr);
|
||||
|
||||
return ResponseEntity.ok(HttpStatus.OK);
|
||||
}
|
||||
|
||||
public static class CustomRequest {
|
||||
|
||||
private Data data;
|
||||
|
||||
CustomRequest(Data data) {
|
||||
this.data = data;
|
||||
}
|
||||
|
||||
public Data getData() {
|
||||
return data;
|
||||
}
|
||||
}
|
||||
|
||||
public static class Data {
|
||||
|
||||
private String expr;
|
||||
|
||||
Data(String expr) {
|
||||
this.expr = expr;
|
||||
}
|
||||
|
||||
public String getExpr() {
|
||||
return expr;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,195 @@
|
||||
edges
|
||||
| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | Jexl2Injection.java:14:9:14:9 | e |
|
||||
| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | Jexl2Injection.java:22:9:22:9 | e |
|
||||
| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | Jexl2Injection.java:29:9:29:14 | script |
|
||||
| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | Jexl2Injection.java:38:13:38:18 | script |
|
||||
| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | Jexl2Injection.java:46:40:46:47 | jexlExpr |
|
||||
| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | Jexl2Injection.java:51:40:51:47 | jexlExpr |
|
||||
| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | Jexl2Injection.java:57:9:57:35 | parse(...) |
|
||||
| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | Jexl2Injection.java:63:9:63:35 | parse(...) |
|
||||
| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | Jexl2Injection.java:69:9:69:44 | createTemplate(...) |
|
||||
| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:78:31:78:38 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
|
||||
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:10:43:10:57 | jexlExpr : String |
|
||||
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | Jexl2Injection.java:86:24:86:56 | jexlExpr : String |
|
||||
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:17:55:17:69 | jexlExpr : String |
|
||||
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | Jexl2Injection.java:90:24:90:68 | jexlExpr : String |
|
||||
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:25:39:25:53 | jexlExpr : String |
|
||||
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | Jexl2Injection.java:94:24:94:52 | jexlExpr : String |
|
||||
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:32:50:32:64 | jexlExpr : String |
|
||||
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | Jexl2Injection.java:98:24:98:63 | jexlExpr : String |
|
||||
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:44:57:44:71 | jexlExpr : String |
|
||||
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | Jexl2Injection.java:102:24:102:70 | jexlExpr : String |
|
||||
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:49:57:49:71 | jexlExpr : String |
|
||||
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | Jexl2Injection.java:106:24:106:70 | jexlExpr : String |
|
||||
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:54:73:54:87 | jexlExpr : String |
|
||||
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | Jexl2Injection.java:110:24:110:86 | jexlExpr : String |
|
||||
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:60:72:60:86 | jexlExpr : String |
|
||||
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | Jexl2Injection.java:114:24:114:85 | jexlExpr : String |
|
||||
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:66:73:66:87 | jexlExpr : String |
|
||||
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | Jexl2Injection.java:118:24:118:86 | jexlExpr : String |
|
||||
| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | Jexl3Injection.java:21:9:21:9 | e |
|
||||
| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | Jexl3Injection.java:28:9:28:9 | e |
|
||||
| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | Jexl3Injection.java:35:9:35:14 | script |
|
||||
| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | Jexl3Injection.java:44:13:44:18 | script |
|
||||
| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | Jexl3Injection.java:52:40:52:47 | jexlExpr |
|
||||
| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | Jexl3Injection.java:57:40:57:47 | jexlExpr |
|
||||
| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | Jexl3Injection.java:63:9:63:39 | createExpression(...) |
|
||||
| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | Jexl3Injection.java:69:9:69:39 | createExpression(...) |
|
||||
| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | Jexl3Injection.java:75:9:75:37 | createTemplate(...) |
|
||||
| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | Jexl3Injection.java:84:13:84:13 | e |
|
||||
| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:96:31:96:38 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String |
|
||||
| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
|
||||
| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | Jexl3Injection.java:104:24:104:56 | jexlExpr : String |
|
||||
| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:24:55:24:69 | jexlExpr : String |
|
||||
| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | Jexl3Injection.java:108:24:108:68 | jexlExpr : String |
|
||||
| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:31:39:31:53 | jexlExpr : String |
|
||||
| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | Jexl3Injection.java:112:24:112:52 | jexlExpr : String |
|
||||
| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:38:50:38:64 | jexlExpr : String |
|
||||
| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | Jexl3Injection.java:116:24:116:63 | jexlExpr : String |
|
||||
| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:50:57:50:71 | jexlExpr : String |
|
||||
| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | Jexl3Injection.java:120:24:120:70 | jexlExpr : String |
|
||||
| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:55:57:55:71 | jexlExpr : String |
|
||||
| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | Jexl3Injection.java:124:24:124:70 | jexlExpr : String |
|
||||
| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:60:74:60:88 | jexlExpr : String |
|
||||
| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | Jexl3Injection.java:128:24:128:87 | jexlExpr : String |
|
||||
| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:66:73:66:87 | jexlExpr : String |
|
||||
| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | Jexl3Injection.java:132:24:132:86 | jexlExpr : String |
|
||||
| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:72:72:72:86 | jexlExpr : String |
|
||||
| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | Jexl3Injection.java:136:24:136:85 | jexlExpr : String |
|
||||
| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:78:54:78:68 | jexlExpr : String |
|
||||
| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | Jexl3Injection.java:140:24:140:67 | jexlExpr : String |
|
||||
| Jexl3Injection.java:145:13:145:37 | expr : String | Jexl3Injection.java:147:27:147:30 | expr : String |
|
||||
| Jexl3Injection.java:147:27:147:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
|
||||
| Jexl3Injection.java:153:13:153:34 | data : Data | Jexl3Injection.java:156:27:156:30 | expr : String |
|
||||
| Jexl3Injection.java:156:27:156:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
|
||||
| Jexl3Injection.java:163:13:163:52 | customRequest : CustomRequest | Jexl3Injection.java:166:27:166:30 | expr : String |
|
||||
| Jexl3Injection.java:166:27:166:30 | expr : String | Jexl3Injection.java:17:43:17:57 | jexlExpr : String |
|
||||
nodes
|
||||
| Jexl2Injection.java:10:43:10:57 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:14:9:14:9 | e | semmle.label | e |
|
||||
| Jexl2Injection.java:17:55:17:69 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:22:9:22:9 | e | semmle.label | e |
|
||||
| Jexl2Injection.java:25:39:25:53 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:29:9:29:14 | script | semmle.label | script |
|
||||
| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:38:13:38:18 | script | semmle.label | script |
|
||||
| Jexl2Injection.java:44:57:44:71 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:46:40:46:47 | jexlExpr | semmle.label | jexlExpr |
|
||||
| Jexl2Injection.java:49:57:49:71 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:51:40:51:47 | jexlExpr | semmle.label | jexlExpr |
|
||||
| Jexl2Injection.java:54:73:54:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:57:9:57:35 | parse(...) | semmle.label | parse(...) |
|
||||
| Jexl2Injection.java:60:72:60:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:63:9:63:35 | parse(...) | semmle.label | parse(...) |
|
||||
| Jexl2Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | semmle.label | createTemplate(...) |
|
||||
| Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| Jexl2Injection.java:78:31:78:38 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:86:24:86:56 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:90:24:90:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:94:24:94:52 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:98:24:98:63 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:102:24:102:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:106:24:106:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:110:24:110:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:114:24:114:85 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl2Injection.java:118:24:118:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:17:43:17:57 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:21:9:21:9 | e | semmle.label | e |
|
||||
| Jexl3Injection.java:24:55:24:69 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:28:9:28:9 | e | semmle.label | e |
|
||||
| Jexl3Injection.java:31:39:31:53 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:35:9:35:14 | script | semmle.label | script |
|
||||
| Jexl3Injection.java:38:50:38:64 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:44:13:44:18 | script | semmle.label | script |
|
||||
| Jexl3Injection.java:50:57:50:71 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:52:40:52:47 | jexlExpr | semmle.label | jexlExpr |
|
||||
| Jexl3Injection.java:55:57:55:71 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:57:40:57:47 | jexlExpr | semmle.label | jexlExpr |
|
||||
| Jexl3Injection.java:60:74:60:88 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:63:9:63:39 | createExpression(...) | semmle.label | createExpression(...) |
|
||||
| Jexl3Injection.java:66:73:66:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:69:9:69:39 | createExpression(...) | semmle.label | createExpression(...) |
|
||||
| Jexl3Injection.java:72:72:72:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | semmle.label | createTemplate(...) |
|
||||
| Jexl3Injection.java:78:54:78:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:84:13:84:13 | e | semmle.label | e |
|
||||
| Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| Jexl3Injection.java:96:31:96:38 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:104:24:104:56 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:108:24:108:68 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:112:24:112:52 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:116:24:116:63 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:120:24:120:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:124:24:124:70 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:128:24:128:87 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:132:24:132:86 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:136:24:136:85 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:140:24:140:67 | jexlExpr : String | semmle.label | jexlExpr : String |
|
||||
| Jexl3Injection.java:145:13:145:37 | expr : String | semmle.label | expr : String |
|
||||
| Jexl3Injection.java:147:27:147:30 | expr : String | semmle.label | expr : String |
|
||||
| Jexl3Injection.java:153:13:153:34 | data : Data | semmle.label | data : Data |
|
||||
| Jexl3Injection.java:156:27:156:30 | expr : String | semmle.label | expr : String |
|
||||
| Jexl3Injection.java:163:13:163:52 | customRequest : CustomRequest | semmle.label | customRequest : CustomRequest |
|
||||
| Jexl3Injection.java:166:27:166:30 | expr : String | semmle.label | expr : String |
|
||||
#select
|
||||
| Jexl2Injection.java:14:9:14:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:14:9:14:9 | e | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:22:9:22:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:22:9:22:9 | e | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:29:9:29:14 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:29:9:29:14 | script | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:38:13:38:18 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:38:13:38:18 | script | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:46:40:46:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:46:40:46:47 | jexlExpr | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:51:40:51:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:51:40:51:47 | jexlExpr | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:57:9:57:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:57:9:57:35 | parse(...) | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:63:9:63:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:63:9:63:35 | parse(...) | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl2Injection.java:69:9:69:44 | createTemplate(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:69:9:69:44 | createTemplate(...) | JEXL injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:145:13:145:37 | expr : String | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:145:13:145:37 | expr | this user input |
|
||||
| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:153:13:153:34 | data : Data | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:153:13:153:34 | data | this user input |
|
||||
| Jexl3Injection.java:21:9:21:9 | e | Jexl3Injection.java:163:13:163:52 | customRequest : CustomRequest | Jexl3Injection.java:21:9:21:9 | e | JEXL injection from $@. | Jexl3Injection.java:163:13:163:52 | customRequest | this user input |
|
||||
| Jexl3Injection.java:28:9:28:9 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:28:9:28:9 | e | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:35:9:35:14 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:35:9:35:14 | script | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:44:13:44:18 | script | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:44:13:44:18 | script | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:52:40:52:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:52:40:52:47 | jexlExpr | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:57:40:57:47 | jexlExpr | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:57:40:57:47 | jexlExpr | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:63:9:63:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:63:9:63:39 | createExpression(...) | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:69:9:69:39 | createExpression(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:69:9:69:39 | createExpression(...) | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:75:9:75:37 | createTemplate(...) | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:75:9:75:37 | createTemplate(...) | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
| Jexl3Injection.java:84:13:84:13 | e | Jexl3Injection.java:94:25:94:47 | getInputStream(...) : InputStream | Jexl3Injection.java:84:13:84:13 | e | JEXL injection from $@. | Jexl3Injection.java:94:25:94:47 | getInputStream(...) | this user input |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-094/JexlInjection.ql
|
||||
@@ -0,0 +1,47 @@
|
||||
import org.apache.commons.jexl2.*;
|
||||
import org.apache.commons.jexl2.introspection.*;
|
||||
|
||||
import java.net.ServerSocket;
|
||||
import java.net.Socket;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
public class SandboxedJexl2 {
|
||||
|
||||
private static void runJexlExpressionWithSandbox(String jexlExpr) {
|
||||
Sandbox sandbox = new Sandbox();
|
||||
sandbox.white(SandboxedJexl2.class.getCanonicalName());
|
||||
Uberspect uberspect = new SandboxUberspectImpl(null, sandbox);
|
||||
JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
|
||||
Expression e = jexl.createExpression(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaSandboxedUnifiedJexl(String jexlExpr) {
|
||||
Sandbox sandbox = new Sandbox();
|
||||
sandbox.white(SandboxedJexl2.class.getCanonicalName());
|
||||
Uberspect uberspect = new SandboxUberspectImpl(null, sandbox);
|
||||
JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
|
||||
UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
|
||||
unifiedJEXL.parse(jexlExpr).evaluate(new MapContext());
|
||||
}
|
||||
|
||||
private static void simpleServer(Consumer<String> action) throws Exception {
|
||||
try (ServerSocket serverSocket = new ServerSocket(0)) {
|
||||
try (Socket socket = serverSocket.accept()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = socket.getInputStream().read(bytes);
|
||||
String jexlExpr = new String(bytes, 0, n);
|
||||
action.accept(jexlExpr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public static void saferJexlExpressionEvaluate() throws Exception {
|
||||
simpleServer(SandboxedJexl2::runJexlExpressionWithSandbox);
|
||||
}
|
||||
|
||||
public static void saferJexlExpressionEvaluateViaUnifiedJexl() throws Exception {
|
||||
simpleServer(SandboxedJexl2::runJexlExpressionViaSandboxedUnifiedJexl);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,76 @@
|
||||
import java.net.ServerSocket;
|
||||
import java.net.Socket;
|
||||
import java.security.AccessControlException;
|
||||
import java.util.Arrays;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
import org.apache.commons.jexl3.*;
|
||||
import org.apache.commons.jexl3.introspection.*;
|
||||
|
||||
public class SandboxedJexl3 {
|
||||
|
||||
private static void runJexlExpressionWithSandbox(String jexlExpr) {
|
||||
JexlSandbox sandbox = new JexlSandbox(false);
|
||||
sandbox.white(SandboxedJexl3.class.getCanonicalName());
|
||||
JexlEngine jexl = new JexlBuilder().sandbox(sandbox).create();
|
||||
JexlExpression e = jexl.createExpression(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionWithUberspectSandbox(String jexlExpr) {
|
||||
JexlUberspect sandbox = new JexlUberspectSandbox();
|
||||
JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
|
||||
JexlExpression e = jexl.createExpression(jexlExpr);
|
||||
JexlContext jc = new MapContext();
|
||||
e.evaluate(jc);
|
||||
}
|
||||
|
||||
private static JexlBuilder STATIC_JEXL_BUILDER;
|
||||
|
||||
static {
|
||||
JexlSandbox sandbox = new JexlSandbox(false);
|
||||
sandbox.white(SandboxedJexl3.class.getCanonicalName());
|
||||
STATIC_JEXL_BUILDER = new JexlBuilder().sandbox(sandbox);
|
||||
}
|
||||
|
||||
private static void runJexlExpressionViaJxltEngineWithSandbox(String jexlExpr) {
|
||||
JexlEngine jexl = STATIC_JEXL_BUILDER.create();
|
||||
JxltEngine jxlt = jexl.createJxltEngine();
|
||||
jxlt.createExpression(jexlExpr).evaluate(new MapContext());
|
||||
}
|
||||
|
||||
private static class JexlUberspectSandbox implements JexlUberspect {
|
||||
|
||||
}
|
||||
|
||||
private static void withSocket(Consumer<String> action) throws Exception {
|
||||
try (ServerSocket serverSocket = new ServerSocket(0)) {
|
||||
try (Socket socket = serverSocket.accept()) {
|
||||
byte[] bytes = new byte[1024];
|
||||
int n = socket.getInputStream().read(bytes);
|
||||
String jexlExpr = new String(bytes, 0, n);
|
||||
action.accept(jexlExpr);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// below are examples of safer Jexl usage
|
||||
|
||||
// with JexlSandbox
|
||||
public static void saferJexlExpressionInSandbox() throws Exception {
|
||||
withSocket(SandboxedJexl3::runJexlExpressionWithSandbox);
|
||||
}
|
||||
|
||||
// with a custom sandbox implemented with JexlUberspect
|
||||
public static void saferJexlExpressionInUberspectSandbox() throws Exception {
|
||||
withSocket(SandboxedJexl3::runJexlExpressionWithUberspectSandbox);
|
||||
}
|
||||
|
||||
// with JexlSandbox and JxltEngine
|
||||
public static void saferJxltExpressionInSandbox() throws Exception {
|
||||
withSocket(SandboxedJexl3::runJexlExpressionViaJxltEngineWithSandbox);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,32 @@
|
||||
edges
|
||||
| ScriptEngineTest.java:8:44:8:55 | input : String | ScriptEngineTest.java:12:37:12:41 | input |
|
||||
| ScriptEngineTest.java:15:51:15:62 | input : String | ScriptEngineTest.java:19:31:19:35 | input |
|
||||
| ScriptEngineTest.java:23:58:23:69 | input : String | ScriptEngineTest.java:27:31:27:35 | input |
|
||||
| ScriptEngineTest.java:30:46:30:57 | input : String | ScriptEngineTest.java:34:31:34:35 | input |
|
||||
| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:38:56:38:62 | ...[...] : String |
|
||||
| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:39:63:39:69 | ...[...] : String |
|
||||
| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:40:70:40:76 | ...[...] : String |
|
||||
| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:41:58:41:64 | ...[...] : String |
|
||||
| ScriptEngineTest.java:38:56:38:62 | ...[...] : String | ScriptEngineTest.java:8:44:8:55 | input : String |
|
||||
| ScriptEngineTest.java:39:63:39:69 | ...[...] : String | ScriptEngineTest.java:15:51:15:62 | input : String |
|
||||
| ScriptEngineTest.java:40:70:40:76 | ...[...] : String | ScriptEngineTest.java:23:58:23:69 | input : String |
|
||||
| ScriptEngineTest.java:41:58:41:64 | ...[...] : String | ScriptEngineTest.java:30:46:30:57 | input : String |
|
||||
nodes
|
||||
| ScriptEngineTest.java:8:44:8:55 | input : String | semmle.label | input : String |
|
||||
| ScriptEngineTest.java:12:37:12:41 | input | semmle.label | input |
|
||||
| ScriptEngineTest.java:15:51:15:62 | input : String | semmle.label | input : String |
|
||||
| ScriptEngineTest.java:19:31:19:35 | input | semmle.label | input |
|
||||
| ScriptEngineTest.java:23:58:23:69 | input : String | semmle.label | input : String |
|
||||
| ScriptEngineTest.java:27:31:27:35 | input | semmle.label | input |
|
||||
| ScriptEngineTest.java:30:46:30:57 | input : String | semmle.label | input : String |
|
||||
| ScriptEngineTest.java:34:31:34:35 | input | semmle.label | input |
|
||||
| ScriptEngineTest.java:37:26:37:38 | args : String[] | semmle.label | args : String[] |
|
||||
| ScriptEngineTest.java:38:56:38:62 | ...[...] : String | semmle.label | ...[...] : String |
|
||||
| ScriptEngineTest.java:39:63:39:69 | ...[...] : String | semmle.label | ...[...] : String |
|
||||
| ScriptEngineTest.java:40:70:40:76 | ...[...] : String | semmle.label | ...[...] : String |
|
||||
| ScriptEngineTest.java:41:58:41:64 | ...[...] : String | semmle.label | ...[...] : String |
|
||||
#select
|
||||
| ScriptEngineTest.java:12:19:12:42 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:12:37:12:41 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
|
||||
| ScriptEngineTest.java:19:19:19:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:19:31:19:35 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
|
||||
| ScriptEngineTest.java:27:19:27:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:27:31:27:35 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
|
||||
| ScriptEngineTest.java:34:19:34:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:34:31:34:35 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-094/ScriptEngine.ql
|
||||
58
java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
Executable file
58
java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
Executable file
@@ -0,0 +1,58 @@
|
||||
import jdk.nashorn.api.scripting.NashornScriptEngine;
|
||||
import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
|
||||
import javax.script.*;
|
||||
|
||||
|
||||
public class ScriptEngineTest {
|
||||
|
||||
public void testWithScriptEngineReference(String input) throws ScriptException {
|
||||
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
|
||||
// Create with ScriptEngine reference
|
||||
ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
|
||||
Object result = scriptEngine.eval(input);
|
||||
}
|
||||
|
||||
public void testNashornWithScriptEngineReference(String input) throws ScriptException {
|
||||
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
|
||||
// Create Nashorn with ScriptEngine reference
|
||||
ScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
Object result = engine.eval(input);
|
||||
}
|
||||
|
||||
|
||||
public void testNashornWithNashornScriptEngineReference(String input) throws ScriptException {
|
||||
NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
|
||||
// Create Nashorn with NashornScriptEngine reference
|
||||
NashornScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
Object result = engine.eval(input);
|
||||
}
|
||||
|
||||
public void testCustomScriptEngineReference(String input) throws ScriptException {
|
||||
MyCustomFactory factory = new MyCustomFactory();
|
||||
//Create with Custom Script Engine reference
|
||||
MyCustomScriptEngine engine = (MyCustomScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
|
||||
Object result = engine.eval(input);
|
||||
}
|
||||
|
||||
public static void main(String[] args) throws ScriptException {
|
||||
new ScriptEngineTest().testWithScriptEngineReference(args[0]);
|
||||
new ScriptEngineTest().testNashornWithScriptEngineReference(args[0]);
|
||||
new ScriptEngineTest().testNashornWithNashornScriptEngineReference(args[0]);
|
||||
new ScriptEngineTest().testCustomScriptEngineReference(args[0]);
|
||||
}
|
||||
|
||||
private static class MyCustomScriptEngine extends AbstractScriptEngine {
|
||||
public Object eval(String var1) throws ScriptException {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
private static class MyCustomFactory implements ScriptEngineFactory {
|
||||
public MyCustomFactory() {
|
||||
}
|
||||
|
||||
public ScriptEngine getScriptEngine() { return null; }
|
||||
|
||||
public ScriptEngine getScriptEngine(String... args) { return null; }
|
||||
}
|
||||
}
|
||||
@@ -1 +1,2 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine
|
||||
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
| InsecureLdapEndpoint.java:19:9:19:92 | setProperty(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
| InsecureLdapEndpoint.java:50:9:50:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
| InsecureLdapEndpoint.java:68:9:68:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
| InsecureLdapEndpoint.java:84:9:84:94 | setProperty(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
| InsecureLdapEndpoint.java:102:9:102:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
@@ -0,0 +1,106 @@
|
||||
import java.util.Hashtable;
|
||||
import java.util.Properties;
|
||||
import javax.naming.Context;
|
||||
|
||||
public class InsecureLdapEndpoint {
|
||||
private static String PROP_DISABLE_LDAP_ENDPOINT_IDENTIFICATION = "com.sun.jndi.ldap.object.disableEndpointIdentification";
|
||||
|
||||
// BAD - Test configuration with disabled LDAPS endpoint check using `System.setProperty()`.
|
||||
public Hashtable<String, String> createConnectionEnv() {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
|
||||
env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
|
||||
|
||||
env.put(Context.SECURITY_AUTHENTICATION, "simple");
|
||||
env.put(Context.SECURITY_PRINCIPAL, "username");
|
||||
env.put(Context.SECURITY_CREDENTIALS, "secpassword");
|
||||
|
||||
// Disable SSL endpoint check
|
||||
System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
|
||||
|
||||
return env;
|
||||
}
|
||||
|
||||
// GOOD - Test configuration without disabling LDAPS endpoint check.
|
||||
public Hashtable<String, String> createConnectionEnv2() {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
|
||||
env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
|
||||
|
||||
env.put(Context.SECURITY_AUTHENTICATION, "simple");
|
||||
env.put(Context.SECURITY_PRINCIPAL, "username");
|
||||
env.put(Context.SECURITY_CREDENTIALS, "secpassword");
|
||||
|
||||
return env;
|
||||
}
|
||||
|
||||
// BAD - Test configuration with disabled LDAPS endpoint check using `System.setProperties()`.
|
||||
public Hashtable<String, String> createConnectionEnv3() {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
|
||||
env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
|
||||
|
||||
env.put(Context.SECURITY_AUTHENTICATION, "simple");
|
||||
env.put(Context.SECURITY_PRINCIPAL, "username");
|
||||
env.put(Context.SECURITY_CREDENTIALS, "secpassword");
|
||||
|
||||
// Disable SSL endpoint check
|
||||
Properties properties = new Properties();
|
||||
properties.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
|
||||
System.setProperties(properties);
|
||||
|
||||
return env;
|
||||
}
|
||||
|
||||
// BAD - Test configuration with disabled LDAPS endpoint check using `HashTable.put()`.
|
||||
public Hashtable<String, String> createConnectionEnv4() {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
|
||||
env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
|
||||
|
||||
env.put(Context.SECURITY_AUTHENTICATION, "simple");
|
||||
env.put(Context.SECURITY_PRINCIPAL, "username");
|
||||
env.put(Context.SECURITY_CREDENTIALS, "secpassword");
|
||||
|
||||
// Disable SSL endpoint check
|
||||
Properties properties = new Properties();
|
||||
properties.put("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
|
||||
System.setProperties(properties);
|
||||
|
||||
return env;
|
||||
}
|
||||
|
||||
// BAD - Test configuration with disabled LDAPS endpoint check using the `TRUE` boolean field.
|
||||
public Hashtable<String, String> createConnectionEnv5() {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
|
||||
env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
|
||||
|
||||
env.put(Context.SECURITY_AUTHENTICATION, "simple");
|
||||
env.put(Context.SECURITY_PRINCIPAL, "username");
|
||||
env.put(Context.SECURITY_CREDENTIALS, "secpassword");
|
||||
|
||||
// Disable SSL endpoint check
|
||||
System.setProperty(PROP_DISABLE_LDAP_ENDPOINT_IDENTIFICATION, Boolean.TRUE.toString());
|
||||
|
||||
return env;
|
||||
}
|
||||
|
||||
// BAD - Test configuration with disabled LDAPS endpoint check using a boolean value.
|
||||
public Hashtable<String, String> createConnectionEnv6() {
|
||||
Hashtable<String, String> env = new Hashtable<String, String>();
|
||||
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
|
||||
env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
|
||||
|
||||
env.put(Context.SECURITY_AUTHENTICATION, "simple");
|
||||
env.put(Context.SECURITY_PRINCIPAL, "username");
|
||||
env.put(Context.SECURITY_CREDENTIALS, "secpassword");
|
||||
|
||||
// Disable SSL endpoint check
|
||||
Properties properties = new Properties();
|
||||
properties.put("com.sun.jndi.ldap.object.disableEndpointIdentification", true);
|
||||
System.setProperties(properties);
|
||||
|
||||
return env;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
|
||||
@@ -0,0 +1,7 @@
|
||||
edges
|
||||
| UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | UnvalidatedCors.java:27:67:27:69 | url |
|
||||
nodes
|
||||
| UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | semmle.label | getHeader(...) : String |
|
||||
| UnvalidatedCors.java:27:67:27:69 | url | semmle.label | url |
|
||||
#select
|
||||
| UnvalidatedCors.java:27:67:27:69 | url | UnvalidatedCors.java:21:22:21:48 | getHeader(...) : String | UnvalidatedCors.java:27:67:27:69 | url | CORS header is being set using user controlled value $@. | UnvalidatedCors.java:21:22:21:48 | getHeader(...) | user-provided value |
|
||||
@@ -0,0 +1,37 @@
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.FilterConfig;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
|
||||
public class UnvalidatedCors implements Filter {
|
||||
public void init(FilterConfig filterConfig) throws ServletException {}
|
||||
|
||||
public void doFilter(ServletRequest req, ServletResponse res,
|
||||
FilterChain chain) throws IOException, ServletException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
String url = request.getHeader("Origin");
|
||||
|
||||
if (!StringUtils.isEmpty(url)) {
|
||||
String val = response.getHeader("Access-Control-Allow-Origin");
|
||||
|
||||
if (StringUtils.isEmpty(val)) {
|
||||
response.addHeader("Access-Control-Allow-Origin", url);
|
||||
response.addHeader("Access-Control-Allow-Credentials", "true");
|
||||
}
|
||||
}
|
||||
|
||||
chain.doFilter(req, res);
|
||||
}
|
||||
|
||||
public void destroy() {}
|
||||
}
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
|
||||
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7
|
||||
@@ -0,0 +1 @@
|
||||
| ServiceBean.java:55:24:55:27 | main | Java EE application has a main method. |
|
||||
@@ -0,0 +1,59 @@
|
||||
import javax.ejb.SessionBean;
|
||||
import javax.ejb.EJBException;
|
||||
import java.rmi.RemoteException;
|
||||
import javax.ejb.SessionContext;
|
||||
import javax.naming.Context;
|
||||
import javax.naming.InitialContext;
|
||||
|
||||
public class ServiceBean implements SessionBean {
|
||||
|
||||
protected SessionContext ctx;
|
||||
|
||||
private String _serviceName;
|
||||
|
||||
/**
|
||||
* Create the session bean (empty implementation)
|
||||
*/
|
||||
public void ejbCreate() throws javax.ejb.CreateException {
|
||||
System.out.println("ServiceBean:ejbCreate()");
|
||||
}
|
||||
|
||||
public void ejbActivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
|
||||
}
|
||||
|
||||
public void ejbPassivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
|
||||
}
|
||||
|
||||
public void ejbRemove() throws javax.ejb.EJBException, java.rmi.RemoteException {
|
||||
}
|
||||
|
||||
public void setSessionContext(SessionContext parm1) throws javax.ejb.EJBException, java.rmi.RemoteException {
|
||||
}
|
||||
|
||||
/**
|
||||
* Get service name
|
||||
* @return service name
|
||||
*/
|
||||
public String getServiceName() {
|
||||
return _serviceName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set service name
|
||||
* @param serviceName the service name
|
||||
*/
|
||||
public void setServiceName(String serviceName) {
|
||||
_serviceName = serviceName;
|
||||
}
|
||||
|
||||
/** Do service (no implementation) */
|
||||
public String doService() {
|
||||
return null;
|
||||
}
|
||||
|
||||
/** Local unit testing code */
|
||||
public static void main(String[] args) throws Exception {
|
||||
ServiceBean b = new ServiceBean();
|
||||
b.doService();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-489/EJBMain.ql
|
||||
@@ -0,0 +1,25 @@
|
||||
import javax.servlet.ServletContextEvent;
|
||||
import javax.servlet.ServletContextListener;
|
||||
import java.net.URL;
|
||||
|
||||
public class ServletContextListenerMain implements ServletContextListener {
|
||||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
System.out.println("listener starts to work!");
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) {
|
||||
System.out.println("listener stopped!");
|
||||
}
|
||||
|
||||
// BAD - Implement a main method in servlet listener.
|
||||
public static void main(String[] args) {
|
||||
try {
|
||||
URL url = new URL("https://www.example.com");
|
||||
url.openConnection();
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
| ServletContextListenerMain.java:17:21:17:24 | main | Web application has a main method. |
|
||||
| ServletMain.java:28:21:28:24 | main | Web application has a main method. |
|
||||
@@ -0,0 +1,33 @@
|
||||
import javax.servlet.Servlet;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletConfig;
|
||||
import java.io.IOException;
|
||||
import java.net.URL;
|
||||
|
||||
public class ServletMain implements Servlet {
|
||||
public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
|
||||
}
|
||||
|
||||
public void init(ServletConfig servletConfig) throws ServletException {
|
||||
}
|
||||
|
||||
public ServletConfig getServletConfig() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public String getServletInfo() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public void destroy() {
|
||||
}
|
||||
|
||||
// BAD - Implement a main method in servlet.
|
||||
public static void main(String[] args) throws Exception {
|
||||
// Connect to my server
|
||||
URL url = new URL("https://www.example.com");
|
||||
url.openConnection();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-489/WebComponentMain.ql
|
||||
@@ -0,0 +1 @@
|
||||
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/ejb-3.2
|
||||
@@ -0,0 +1,43 @@
|
||||
edges
|
||||
| XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:51:35:51:38 | xqpe |
|
||||
| XQueryInjection.java:59:23:59:50 | getParameter(...) : String | XQueryInjection.java:65:53:65:57 | query |
|
||||
| XQueryInjection.java:73:32:73:59 | nameStr : String | XQueryInjection.java:79:35:79:38 | xqpe |
|
||||
| XQueryInjection.java:86:33:86:60 | nameStr : String | XQueryInjection.java:92:53:92:57 | query |
|
||||
| XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:104:35:104:38 | xqpe |
|
||||
| XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name |
|
||||
| XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:129:35:129:38 | xqpe |
|
||||
| XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:142:53:142:54 | br |
|
||||
| XQueryInjection.java:150:23:150:50 | getParameter(...) : String | XQueryInjection.java:155:29:155:32 | name |
|
||||
| XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:159:29:159:30 | br |
|
||||
nodes
|
||||
| XQueryInjection.java:45:23:45:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| XQueryInjection.java:51:35:51:38 | xqpe | semmle.label | xqpe |
|
||||
| XQueryInjection.java:59:23:59:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| XQueryInjection.java:65:53:65:57 | query | semmle.label | query |
|
||||
| XQueryInjection.java:73:32:73:59 | nameStr : String | semmle.label | nameStr : String |
|
||||
| XQueryInjection.java:79:35:79:38 | xqpe | semmle.label | xqpe |
|
||||
| XQueryInjection.java:86:33:86:60 | nameStr : String | semmle.label | nameStr : String |
|
||||
| XQueryInjection.java:92:53:92:57 | query | semmle.label | query |
|
||||
| XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XQueryInjection.java:104:35:104:38 | xqpe | semmle.label | xqpe |
|
||||
| XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XQueryInjection.java:116:53:116:56 | name | semmle.label | name |
|
||||
| XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XQueryInjection.java:129:35:129:38 | xqpe | semmle.label | xqpe |
|
||||
| XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XQueryInjection.java:142:53:142:54 | br | semmle.label | br |
|
||||
| XQueryInjection.java:150:23:150:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
|
||||
| XQueryInjection.java:155:29:155:32 | name | semmle.label | name |
|
||||
| XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
|
||||
| XQueryInjection.java:159:29:159:30 | br | semmle.label | br |
|
||||
#select
|
||||
| XQueryInjection.java:51:35:51:38 | xqpe | XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:51:35:51:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:45:23:45:50 | getParameter(...) | this user input |
|
||||
| XQueryInjection.java:65:53:65:57 | query | XQueryInjection.java:59:23:59:50 | getParameter(...) : String | XQueryInjection.java:65:53:65:57 | query | XQuery query might include code from $@. | XQueryInjection.java:59:23:59:50 | getParameter(...) | this user input |
|
||||
| XQueryInjection.java:79:35:79:38 | xqpe | XQueryInjection.java:73:32:73:59 | nameStr : String | XQueryInjection.java:79:35:79:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:73:32:73:59 | nameStr | this user input |
|
||||
| XQueryInjection.java:92:53:92:57 | query | XQueryInjection.java:86:33:86:60 | nameStr : String | XQueryInjection.java:92:53:92:57 | query | XQuery query might include code from $@. | XQueryInjection.java:86:33:86:60 | nameStr | this user input |
|
||||
| XQueryInjection.java:104:35:104:38 | xqpe | XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:104:35:104:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:100:28:100:51 | getInputStream(...) | this user input |
|
||||
| XQueryInjection.java:116:53:116:56 | name | XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name | XQuery query might include code from $@. | XQueryInjection.java:112:28:112:51 | getInputStream(...) | this user input |
|
||||
| XQueryInjection.java:129:35:129:38 | xqpe | XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:129:35:129:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:124:28:124:51 | getInputStream(...) | this user input |
|
||||
| XQueryInjection.java:142:53:142:54 | br | XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:142:53:142:54 | br | XQuery query might include code from $@. | XQueryInjection.java:137:28:137:51 | getInputStream(...) | this user input |
|
||||
| XQueryInjection.java:155:29:155:32 | name | XQueryInjection.java:150:23:150:50 | getParameter(...) : String | XQueryInjection.java:155:29:155:32 | name | XQuery query might include code from $@. | XQueryInjection.java:150:23:150:50 | getParameter(...) | this user input |
|
||||
| XQueryInjection.java:159:29:159:30 | br | XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:159:29:159:30 | br | XQuery query might include code from $@. | XQueryInjection.java:157:26:157:49 | getInputStream(...) | this user input |
|
||||
@@ -0,0 +1,195 @@
|
||||
package com.vuln.v2.controller;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.InputStream;
|
||||
import java.io.InputStreamReader;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.xml.namespace.QName;
|
||||
import javax.xml.xquery.XQConnection;
|
||||
import javax.xml.xquery.XQDataSource;
|
||||
import javax.xml.xquery.XQException;
|
||||
import javax.xml.xquery.XQExpression;
|
||||
import javax.xml.xquery.XQItemType;
|
||||
import javax.xml.xquery.XQPreparedExpression;
|
||||
import javax.xml.xquery.XQResultSequence;
|
||||
import net.sf.saxon.xqj.SaxonXQDataSource;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
|
||||
@Controller
|
||||
public class XQueryInjection {
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
XQConnection conn;
|
||||
try {
|
||||
String name = "admin";
|
||||
String query = "declare variable $name as xs:string external;"
|
||||
+ " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
|
||||
conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
expr.bindString(new QName("name"), name,
|
||||
conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
|
||||
XQResultSequence result = expr.executeQuery(query);
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
} catch (XQException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testRequestbad(HttpServletRequest request) throws Exception {
|
||||
String name = request.getParameter("name");
|
||||
XQDataSource ds = new SaxonXQDataSource();
|
||||
XQConnection conn = ds.getConnection();
|
||||
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name
|
||||
+ "'] return $user/password";
|
||||
XQPreparedExpression xqpe = conn.prepareExpression(query);
|
||||
XQResultSequence result = xqpe.executeQuery();
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testRequestbad1(HttpServletRequest request) throws Exception {
|
||||
String name = request.getParameter("name");
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name
|
||||
+ "'] return $user/password";
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
XQResultSequence result = expr.executeQuery(query);
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@RequestMapping
|
||||
public void testStringtbad(@RequestParam String nameStr) throws XQException {
|
||||
XQDataSource ds = new SaxonXQDataSource();
|
||||
XQConnection conn = ds.getConnection();
|
||||
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr
|
||||
+ "'] return $user/password";
|
||||
XQPreparedExpression xqpe = conn.prepareExpression(query);
|
||||
XQResultSequence result = xqpe.executeQuery();
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testStringtbad1(@RequestParam String nameStr) throws XQException {
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr
|
||||
+ "'] return $user/password";
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
XQResultSequence result = expr.executeQuery(query);
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testInputStreambad(HttpServletRequest request) throws Exception {
|
||||
InputStream name = request.getInputStream();
|
||||
XQDataSource ds = new SaxonXQDataSource();
|
||||
XQConnection conn = ds.getConnection();
|
||||
XQPreparedExpression xqpe = conn.prepareExpression(name);
|
||||
XQResultSequence result = xqpe.executeQuery();
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testInputStreambad1(HttpServletRequest request) throws Exception {
|
||||
InputStream name = request.getInputStream();
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
XQResultSequence result = expr.executeQuery(name);
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testReaderbad(HttpServletRequest request) throws Exception {
|
||||
InputStream name = request.getInputStream();
|
||||
BufferedReader br = new BufferedReader(new InputStreamReader(name));
|
||||
XQDataSource ds = new SaxonXQDataSource();
|
||||
XQConnection conn = ds.getConnection();
|
||||
XQPreparedExpression xqpe = conn.prepareExpression(br);
|
||||
XQResultSequence result = xqpe.executeQuery();
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testReaderbad1(HttpServletRequest request) throws Exception {
|
||||
InputStream name = request.getInputStream();
|
||||
BufferedReader br = new BufferedReader(new InputStreamReader(name));
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
XQResultSequence result = expr.executeQuery(br);
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void testExecuteCommandbad(HttpServletRequest request) throws Exception {
|
||||
String name = request.getParameter("name");
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
//bad code
|
||||
expr.executeCommand(name);
|
||||
//bad code
|
||||
InputStream is = request.getInputStream();
|
||||
BufferedReader br = new BufferedReader(new InputStreamReader(is));
|
||||
expr.executeCommand(br);
|
||||
expr.close();
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void good(HttpServletRequest request) throws XQException {
|
||||
String name = request.getParameter("name");
|
||||
XQDataSource ds = new SaxonXQDataSource();
|
||||
XQConnection conn = ds.getConnection();
|
||||
String query = "declare variable $name as xs:string external;"
|
||||
+ " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
|
||||
XQPreparedExpression xqpe = conn.prepareExpression(query);
|
||||
xqpe.bindString(new QName("name"), name,
|
||||
conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
|
||||
XQResultSequence result = xqpe.executeQuery();
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
|
||||
@RequestMapping
|
||||
public void good1(HttpServletRequest request) throws XQException {
|
||||
String name = request.getParameter("name");
|
||||
String query = "declare variable $name as xs:string external;"
|
||||
+ " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
|
||||
XQDataSource xqds = new SaxonXQDataSource();
|
||||
XQConnection conn = xqds.getConnection();
|
||||
XQExpression expr = conn.createExpression();
|
||||
expr.bindString(new QName("name"), name,
|
||||
conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
|
||||
XQResultSequence result = expr.executeQuery(query);
|
||||
while (result.next()) {
|
||||
System.out.println(result.getItemAsString(null));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
experimental/Security/CWE/CWE-652/XQueryInjection.ql
|
||||
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/saxon-xqj-9.x/:${testdir}/../../../../stubs/springframework-5.2.3/
|
||||
Reference in New Issue
Block a user