JPython code injection

2026-05-02 12:15:17 +02:00 · 2021-05-03 01:43:56 +00:00
parent b2c0259197
commit 4709e8139d
13 changed files with 750 additions and 1 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected
@@ -0,0 +1,11 @@
+edges
+| JPythonInjection.java:22:23:22:50 | getParameter(...) : String | JPythonInjection.java:30:28:30:31 | code |
+| JPythonInjection.java:47:21:47:48 | getParameter(...) : String | JPythonInjection.java:52:40:52:43 | code |
+nodes
+| JPythonInjection.java:22:23:22:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JPythonInjection.java:30:28:30:31 | code | semmle.label | code |
+| JPythonInjection.java:47:21:47:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JPythonInjection.java:52:40:52:43 | code | semmle.label | code |
+#select
+| JPythonInjection.java:30:11:30:32 | exec(...) | JPythonInjection.java:22:23:22:50 | getParameter(...) : String | JPythonInjection.java:30:28:30:31 | code | JPython evaluate $@. | JPythonInjection.java:22:23:22:50 | getParameter(...) | user input |
+| JPythonInjection.java:52:23:52:44 | eval(...) | JPythonInjection.java:47:21:47:48 | getParameter(...) : String | JPythonInjection.java:52:40:52:43 | code | JPython evaluate $@. | JPythonInjection.java:47:21:47:48 | getParameter(...) | user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java
@@ -0,0 +1,64 @@
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.python.core.PyObject;
+import org.python.core.PyException;
+import org.python.util.PythonInterpreter;
+
+public class JPythonInjection extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+       
+    public JPythonInjection() {
+        super();
+    }
+
+    // BAD: allow arbitrary JPython expression to execute
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+          interpreter = new PythonInterpreter();
+          interpreter.setOut(out);
+          interpreter.setErr(out);
+          interpreter.exec(code);
+          out.flush();
+
+          response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+              interpreter.close();
+            }
+            out.close();
+        }
+    }
+
+    // BAD: allow arbitrary JPython expression to evaluate
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+      response.setContentType("text/plain");
+      String code = request.getParameter("code");
+      PythonInterpreter interpreter = null;
+
+      try {
+        interpreter = new PythonInterpreter();
+        PyObject py = interpreter.eval(code);
+
+        response.getWriter().print(py.toString());
+      } catch(PyException ex) {
+          response.getWriter().println(ex.getMessage());
+      } finally {
+          if (interpreter != null) {
+            interpreter.close();
+          }
+      }
+  }
+}
+
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/JPythonInjection.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jpython-2.7.2
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-094/JPythonInjection.ql`