Merge pull request #5686 from smowton/haby0/JsonHijacking

Java: JSONP Injection w/cleanups

java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java

@@ -0,0 +1,161 @@
+import com.alibaba.fastjson.JSONObject;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
+
+@Controller
+public class JsonpController {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    @GetMapping(value = "jsonp1")
+    @ResponseBody
+    public String bad1(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp2")
+    @ResponseBody
+    public String bad2(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp3")
+    @ResponseBody
+    public String bad3(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp4")
+    @ResponseBody
+    public String bad4(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @GetMapping(value = "jsonp5")
+    @ResponseBody
+    public void bad5(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @GetMapping(value = "jsonp6")
+    @ResponseBody
+    public void bad6(HttpServletRequest request,
+            HttpServletResponse response) throws Exception {
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        ObjectMapper mapper = new ObjectMapper();
+        String result = mapper.writeValueAsString(hashMap);
+        String resultStr = null;
+        pw = response.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+    }
+
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
+    @ResponseBody
+    public String bad7(HttpServletRequest request) {
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    @RequestMapping(value = "jsonp12")
+    @ResponseBody
+    public String good2(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
+        }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
+
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
+    }
+
+    public static String getJsonStr(Object result) {
+        return JSONObject.toJSONString(result);
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected

@@ -0,0 +1,58 @@
+edges
+| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr |
+| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr |
+| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr |
+| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr |
+| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr |
+| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr |
+| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr |
+| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr |
+| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr |
+| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr |
+| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr |
+| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
+| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
+| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
+| JsonpController.java:115:21:115:54 | ... + ... : String | JsonpController.java:116:16:116:24 | resultStr |
+| JsonpController.java:130:21:130:54 | ... + ... : String | JsonpController.java:131:16:131:24 | resultStr |
+nodes
+| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:115:21:115:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:116:16:116:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:130:21:130:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:131:16:131:24 | resultStr | semmle.label | resultStr |
+#select
+| JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
+| JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
+| JsonpController.java:56:16:56:24 | resultStr | JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:53:32:53:68 | getParameter(...) | this user input |
+| JsonpController.java:66:16:66:24 | resultStr | JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:63:32:63:68 | getParameter(...) | this user input |
+| JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
+| JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
+| JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-352/JsonpInjection.ql

java/ql/test/experimental/query-tests/security/CWE-352/options

@@ -0,0 +1 @@
+  //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.2.3/