mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection
Java: Promote MVEL injection query from experimental
This commit is contained in:
Anders Schack-Mulligen
@@ -1,67 +0,0 @@
|
||||
edges
|
||||
| MvelInjection.java:29:54:29:65 | read(...) : String | MvelInjection.java:30:28:30:37 | expression |
|
||||
| MvelInjection.java:34:58:34:69 | read(...) : String | MvelInjection.java:36:5:36:13 | statement |
|
||||
| MvelInjection.java:34:58:34:69 | read(...) : String | MvelInjection.java:37:5:37:13 | statement |
|
||||
| MvelInjection.java:41:58:41:69 | read(...) : String | MvelInjection.java:43:5:43:14 | expression |
|
||||
| MvelInjection.java:48:7:48:18 | read(...) : String | MvelInjection.java:49:5:49:14 | expression |
|
||||
| MvelInjection.java:53:20:53:31 | read(...) : String | MvelInjection.java:57:5:57:18 | compiledScript |
|
||||
| MvelInjection.java:53:20:53:31 | read(...) : String | MvelInjection.java:60:21:60:26 | script |
|
||||
| MvelInjection.java:65:58:65:69 | read(...) : String | MvelInjection.java:68:5:68:10 | script |
|
||||
| MvelInjection.java:77:40:77:51 | read(...) : String | MvelInjection.java:77:7:77:52 | compileTemplate(...) |
|
||||
| MvelInjection.java:81:54:81:65 | read(...) : String | MvelInjection.java:82:29:82:46 | compile(...) |
|
||||
| MvelInjection.java:86:58:86:69 | read(...) : String | MvelInjection.java:88:32:88:41 | expression |
|
||||
| MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:94:15:94:16 | is : InputStream |
|
||||
| MvelInjection.java:94:15:94:16 | is : InputStream | MvelInjection.java:94:23:94:27 | bytes [post update] : byte[] |
|
||||
| MvelInjection.java:94:23:94:27 | bytes [post update] : byte[] | MvelInjection.java:95:14:95:36 | new String(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:25:15:25:26 | read(...) |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:29:54:29:65 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:34:58:34:69 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:41:58:41:69 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:48:7:48:18 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:53:20:53:31 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:65:58:65:69 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:72:26:72:37 | read(...) |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:77:40:77:51 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:81:54:81:65 | read(...) : String |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | MvelInjection.java:86:58:86:69 | read(...) : String |
|
||||
nodes
|
||||
| MvelInjection.java:25:15:25:26 | read(...) | semmle.label | read(...) |
|
||||
| MvelInjection.java:29:54:29:65 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:30:28:30:37 | expression | semmle.label | expression |
|
||||
| MvelInjection.java:34:58:34:69 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:36:5:36:13 | statement | semmle.label | statement |
|
||||
| MvelInjection.java:37:5:37:13 | statement | semmle.label | statement |
|
||||
| MvelInjection.java:41:58:41:69 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:43:5:43:14 | expression | semmle.label | expression |
|
||||
| MvelInjection.java:48:7:48:18 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:49:5:49:14 | expression | semmle.label | expression |
|
||||
| MvelInjection.java:53:20:53:31 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:57:5:57:18 | compiledScript | semmle.label | compiledScript |
|
||||
| MvelInjection.java:60:21:60:26 | script | semmle.label | script |
|
||||
| MvelInjection.java:65:58:65:69 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:68:5:68:10 | script | semmle.label | script |
|
||||
| MvelInjection.java:72:26:72:37 | read(...) | semmle.label | read(...) |
|
||||
| MvelInjection.java:77:7:77:52 | compileTemplate(...) | semmle.label | compileTemplate(...) |
|
||||
| MvelInjection.java:77:40:77:51 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:81:54:81:65 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:82:29:82:46 | compile(...) | semmle.label | compile(...) |
|
||||
| MvelInjection.java:86:58:86:69 | read(...) : String | semmle.label | read(...) : String |
|
||||
| MvelInjection.java:88:32:88:41 | expression | semmle.label | expression |
|
||||
| MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
|
||||
| MvelInjection.java:94:15:94:16 | is : InputStream | semmle.label | is : InputStream |
|
||||
| MvelInjection.java:94:23:94:27 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
|
||||
| MvelInjection.java:95:14:95:36 | new String(...) : String | semmle.label | new String(...) : String |
|
||||
#select
|
||||
| MvelInjection.java:25:15:25:26 | read(...) | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:25:15:25:26 | read(...) | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:30:28:30:37 | expression | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:30:28:30:37 | expression | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:36:5:36:13 | statement | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:36:5:36:13 | statement | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:37:5:37:13 | statement | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:37:5:37:13 | statement | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:43:5:43:14 | expression | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:43:5:43:14 | expression | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:49:5:49:14 | expression | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:49:5:49:14 | expression | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:57:5:57:18 | compiledScript | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:57:5:57:18 | compiledScript | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:60:21:60:26 | script | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:60:21:60:26 | script | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:68:5:68:10 | script | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:68:5:68:10 | script | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:72:26:72:37 | read(...) | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:72:26:72:37 | read(...) | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:77:7:77:52 | compileTemplate(...) | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:77:7:77:52 | compileTemplate(...) | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:82:29:82:46 | compile(...) | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:82:29:82:46 | compile(...) | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
| MvelInjection.java:88:32:88:41 | expression | MvelInjection.java:92:27:92:49 | getInputStream(...) : InputStream | MvelInjection.java:88:32:88:41 | expression | MVEL injection from $@. | MvelInjection.java:92:27:92:49 | getInputStream(...) | this user input |
|
||||
@@ -1 +0,0 @@
|
||||
experimental/Security/CWE/CWE-094/MvelInjection.ql
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell
|
||||
|
||||
@@ -15,38 +15,37 @@ import org.mvel2.compiler.ExpressionCompiler;
|
||||
import org.mvel2.integration.impl.ImmutableDefaultFactory;
|
||||
import org.mvel2.jsr223.MvelCompiledScript;
|
||||
import org.mvel2.jsr223.MvelScriptEngine;
|
||||
import org.mvel2.templates.CompiledTemplate;
|
||||
import org.mvel2.templates.TemplateCompiler;
|
||||
import org.mvel2.templates.TemplateRuntime;
|
||||
|
||||
public class MvelInjection {
|
||||
public class MvelInjectionTest {
|
||||
|
||||
public static void testWithMvelEval(Socket socket) throws IOException {
|
||||
MVEL.eval(read(socket));
|
||||
MVEL.eval(read(socket)); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testWithMvelCompileAndExecute(Socket socket) throws IOException {
|
||||
Serializable expression = MVEL.compileExpression(read(socket));
|
||||
MVEL.executeExpression(expression);
|
||||
MVEL.executeExpression(expression); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testWithExpressionCompiler(Socket socket) throws IOException {
|
||||
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
|
||||
ExecutableStatement statement = compiler.compile();
|
||||
statement.getValue(new Object(), new ImmutableDefaultFactory());
|
||||
statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory());
|
||||
statement.getValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
|
||||
statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testWithCompiledExpressionGetDirectValue(Socket socket) throws IOException {
|
||||
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
|
||||
CompiledExpression expression = compiler.compile();
|
||||
expression.getDirectValue(new Object(), new ImmutableDefaultFactory());
|
||||
expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testCompiledAccExpressionGetValue(Socket socket) throws IOException {
|
||||
CompiledAccExpression expression = new CompiledAccExpression(
|
||||
read(socket).toCharArray(), Object.class, new ParserContext());
|
||||
expression.getValue(new Object(), new ImmutableDefaultFactory());
|
||||
CompiledAccExpression expression =
|
||||
new CompiledAccExpression(read(socket).toCharArray(), Object.class, new ParserContext());
|
||||
expression.getValue(new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws Exception {
|
||||
@@ -54,10 +53,10 @@ public class MvelInjection {
|
||||
|
||||
MvelScriptEngine engine = new MvelScriptEngine();
|
||||
CompiledScript compiledScript = engine.compile(input);
|
||||
compiledScript.eval();
|
||||
compiledScript.eval(); // $hasMvelInjection
|
||||
|
||||
Serializable script = engine.compiledScript(input);
|
||||
engine.evaluate(script, new SimpleScriptContext());
|
||||
engine.evaluate(script, new SimpleScriptContext()); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throws Exception {
|
||||
@@ -65,27 +64,26 @@ public class MvelInjection {
|
||||
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
|
||||
ExecutableStatement statement = compiler.compile();
|
||||
MvelCompiledScript script = new MvelCompiledScript(engine, statement);
|
||||
script.eval(new SimpleScriptContext());
|
||||
script.eval(new SimpleScriptContext()); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testTemplateRuntimeEval(Socket socket) throws Exception {
|
||||
TemplateRuntime.eval(read(socket), new HashMap());
|
||||
TemplateRuntime.eval(read(socket), new HashMap()); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testTemplateRuntimeCompileTemplateAndExecute(Socket socket) throws Exception {
|
||||
TemplateRuntime.execute(
|
||||
TemplateCompiler.compileTemplate(read(socket)), new HashMap());
|
||||
TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testTemplateRuntimeCompileAndExecute(Socket socket) throws Exception {
|
||||
TemplateCompiler compiler = new TemplateCompiler(read(socket));
|
||||
TemplateRuntime.execute(compiler.compile(), new HashMap());
|
||||
TemplateRuntime.execute(compiler.compile(), new HashMap()); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static void testMvelRuntimeExecute(Socket socket) throws Exception {
|
||||
ExpressionCompiler compiler = new ExpressionCompiler(read(socket));
|
||||
CompiledExpression expression = compiler.compile();
|
||||
MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory());
|
||||
MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $hasMvelInjection
|
||||
}
|
||||
|
||||
public static String read(Socket socket) throws IOException {
|
||||
@@ -0,0 +1,22 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.MvelInjectionQuery
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class HasMvelInjectionTest extends InlineExpectationsTest {
|
||||
HasMvelInjectionTest() { this = "HasMvelInjectionTest" }
|
||||
|
||||
override string getARelevantTag() { result = "hasMvelInjection" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasMvelInjection" and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, MvelInjectionFlowConfig conf |
|
||||
conf.hasFlow(src, sink)
|
||||
|
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api
|
||||
|
||||
@@ -3,9 +3,17 @@ package org.mvel2.jsr223;
|
||||
import java.io.Serializable;
|
||||
import javax.script.CompiledScript;
|
||||
import javax.script.ScriptContext;
|
||||
import javax.script.ScriptEngine;
|
||||
import javax.script.ScriptException;
|
||||
|
||||
public class MvelCompiledScript extends CompiledScript {
|
||||
public MvelCompiledScript(MvelScriptEngine engine, Serializable compiledScript) {}
|
||||
public Object eval(ScriptContext context) throws ScriptException { return null; }
|
||||
}
|
||||
|
||||
public Object eval(ScriptContext context) throws ScriptException {
|
||||
return null;
|
||||
}
|
||||
|
||||
public ScriptEngine getEngine() {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user