hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'jexl-injection' of github.com:artem-smotrakov/ql into jexl-injection

Browse Source
This commit is contained in:
Artem Smotrakov
2021-03-04 20:29:10 +01:00
parent 0695b2a1fb 7cc7ec962e
commit 7d52b53c24
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp
View File

@@ -14,8 +14,8 @@ and then evaluated, then it may allow the attacker to run arbitrary code.
<recommendation>
<p>
Including untrusted input in a JEXL expression should be avoided. If it is not possible,
JEXL expressions should be run in a sandbox that allows accessing only
It is generally recommended to avoid using untrusted input in a JEXL expression.
If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only
explicitly allowed classes.
</p>
</recommendation>
@@ -60,4 +60,4 @@ that checks if callees are instances of allowed classes.
<a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>.
</li>
</references>
</qhelp>
</qhelp>