hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

CodeQL query to detect OGNL injections

Browse Source
This commit is contained in:
Grzegorz Golawski
2020-04-19 20:31:57 +02:00
parent 243dea706e
commit 457e2eaf59
17 changed files with 414 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.expected Normal file
View File

@@ -0,0 +1,48 @@
edges
| OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:13:19:13:22 | tree |
| OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:14:19:14:22 | tree |
| OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:16:17:16:27 | (...)... : Object |
| OgnlInjection.java:16:17:16:27 | (...)... : Object | OgnlInjection.java:17:5:17:8 | node |
| OgnlInjection.java:16:17:16:27 | (...)... : Object | OgnlInjection.java:18:5:18:8 | node |
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:23:19:23:22 | tree |
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:24:19:24:22 | tree |
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:26:5:26:8 | tree |
| OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:27:5:27:8 | tree |
| OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:31:19:31:22 | expr |
| OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:32:19:32:22 | expr |
| OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:37:19:37:22 | expr |
| OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:38:19:38:22 | expr |
| OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:39:31:39:34 | expr |
nodes
| OgnlInjection.java:11:39:11:63 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:13:19:13:22 | tree | semmle.label | tree |
| OgnlInjection.java:14:19:14:22 | tree | semmle.label | tree |
| OgnlInjection.java:16:17:16:27 | (...)... : Object | semmle.label | (...)... : Object |
| OgnlInjection.java:17:5:17:8 | node | semmle.label | node |
| OgnlInjection.java:18:5:18:8 | node | semmle.label | node |
| OgnlInjection.java:21:41:21:65 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:23:19:23:22 | tree | semmle.label | tree |
| OgnlInjection.java:24:19:24:22 | tree | semmle.label | tree |
| OgnlInjection.java:26:5:26:8 | tree | semmle.label | tree |
| OgnlInjection.java:27:5:27:8 | tree | semmle.label | tree |
| OgnlInjection.java:30:40:30:64 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:31:19:31:22 | expr | semmle.label | expr |
| OgnlInjection.java:32:19:32:22 | expr | semmle.label | expr |
| OgnlInjection.java:35:26:35:50 | expr : String | semmle.label | expr : String |
| OgnlInjection.java:37:19:37:22 | expr | semmle.label | expr |
| OgnlInjection.java:38:19:38:22 | expr | semmle.label | expr |
| OgnlInjection.java:39:31:39:34 | expr | semmle.label | expr |
#select
| OgnlInjection.java:13:19:13:22 | tree | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:13:19:13:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
| OgnlInjection.java:14:19:14:22 | tree | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:14:19:14:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
| OgnlInjection.java:17:5:17:8 | node | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:17:5:17:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
| OgnlInjection.java:18:5:18:8 | node | OgnlInjection.java:11:39:11:63 | expr : String | OgnlInjection.java:18:5:18:8 | node | OGNL expression might include input from $@. | OgnlInjection.java:11:39:11:63 | expr | this user input |
| OgnlInjection.java:23:19:23:22 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:23:19:23:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
| OgnlInjection.java:24:19:24:22 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:24:19:24:22 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
| OgnlInjection.java:26:5:26:8 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:26:5:26:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
| OgnlInjection.java:27:5:27:8 | tree | OgnlInjection.java:21:41:21:65 | expr : String | OgnlInjection.java:27:5:27:8 | tree | OGNL expression might include input from $@. | OgnlInjection.java:21:41:21:65 | expr | this user input |
| OgnlInjection.java:31:19:31:22 | expr | OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:31:19:31:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:30:40:30:64 | expr | this user input |
| OgnlInjection.java:32:19:32:22 | expr | OgnlInjection.java:30:40:30:64 | expr : String | OgnlInjection.java:32:19:32:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:30:40:30:64 | expr | this user input |
| OgnlInjection.java:37:19:37:22 | expr | OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:37:19:37:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:35:26:35:50 | expr | this user input |
| OgnlInjection.java:38:19:38:22 | expr | OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:38:19:38:22 | expr | OGNL expression might include input from $@. | OgnlInjection.java:35:26:35:50 | expr | this user input |
| OgnlInjection.java:39:31:39:34 | expr | OgnlInjection.java:35:26:35:50 | expr : String | OgnlInjection.java:39:31:39:34 | expr | OGNL expression might include input from $@. | OgnlInjection.java:35:26:35:50 | expr | this user input |

41
java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.java Normal file
View File

@@ -0,0 +1,41 @@
import ognl.Node;
import ognl.Ognl;
import java.util.HashMap;
import com.opensymphony.xwork2.ognl.OgnlUtil;
import org.springframework.web.bind.annotation.RequestParam;
public class OgnlInjection {
public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
Object tree = Ognl.parseExpression(expr);
Ognl.getValue(tree, new HashMap<>(), new Object());
Ognl.setValue(tree, new HashMap<>(), new Object());
Node node = (Node) tree;
node.getValue(null, new Object());
node.setValue(null, new Object(), new Object());
}
public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
Node tree = Ognl.compileExpression(null, new Object(), expr);
Ognl.getValue(tree, new HashMap<>(), new Object());
Ognl.setValue(tree, new HashMap<>(), new Object());
tree.getValue(null, new Object());
tree.setValue(null, new Object(), new Object());
}
public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
Ognl.getValue(expr, new Object());
Ognl.setValue(expr, new Object(), new Object());
}
public void testStruts(@RequestParam String expr) throws Exception {
OgnlUtil ognl = new OgnlUtil();
ognl.getValue(expr, new HashMap<>(), new Object());
ognl.setValue(expr, new HashMap<>(), new Object(), new Object());
new OgnlUtil().callMethod(expr, new HashMap<>(), new Object());
}
}

1
java/ql/test/experimental/query-tests/security/CWE-917/OgnlInjection.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-917/OgnlInjection.ql

1
java/ql/test/experimental/query-tests/security/CWE-917/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22