Merge pull request #5894 from atorralba/atorralba/promote-ognl-injection

Java: Promote OGNL Injection query from experimental

java/ql/test/query-tests/security/CWE-502/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1:${testdir}/../../../stubs/jackson-databind-2.10
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12

java/ql/test/query-tests/security/CWE-917/OgnlInjection.java

@@ -0,0 +1,73 @@
+import ognl.Node;
+import ognl.Ognl;
+import ognl.enhance.ExpressionAccessor;
+
+import java.util.HashMap;
+
+import com.opensymphony.xwork2.ognl.OgnlUtil;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+public class OgnlInjection {
+  @RequestMapping
+  public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
+    Object tree = Ognl.parseExpression(expr);
+    Ognl.getValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
+    Ognl.setValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
+
+    Node node = (Node) tree;
+    node.getValue(null, new Object()); // $hasOgnlInjection
+    node.setValue(null, new Object(), new Object()); // $hasOgnlInjection
+  }
+
+  @RequestMapping
+  public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
+    Node tree = Ognl.compileExpression(null, new Object(), expr);
+    Ognl.getValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
+    Ognl.setValue(tree, new HashMap<>(), new Object()); // $hasOgnlInjection
+
+    tree.getValue(null, new Object()); // $hasOgnlInjection
+    tree.setValue(null, new Object(), new Object()); // $hasOgnlInjection
+  }
+
+  @RequestMapping
+  public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
+    Ognl.getValue(expr, new Object()); // $hasOgnlInjection
+    Ognl.setValue(expr, new Object(), new Object()); // $hasOgnlInjection
+  }
+
+  @RequestMapping
+  public void testStruts(@RequestParam String expr) throws Exception {
+    OgnlUtil ognl = new OgnlUtil();
+    ognl.getValue(expr, new HashMap<>(), new Object()); // $hasOgnlInjection
+    ognl.setValue(expr, new HashMap<>(), new Object(), new Object()); // $hasOgnlInjection
+    new OgnlUtil().callMethod(expr, new HashMap<>(), new Object()); // $hasOgnlInjection
+  }
+
+  @RequestMapping
+  public void testExpressionAccessor(@RequestParam String expr) throws Exception {
+    Node tree = Ognl.compileExpression(null, new Object(), expr);
+    ExpressionAccessor accessor = tree.getAccessor();
+    accessor.get(null, new Object()); // $hasOgnlInjection
+    accessor.set(null, new Object(), new Object()); // $hasOgnlInjection
+
+    Ognl.getValue(accessor, null, new Object()); // $hasOgnlInjection
+    Ognl.setValue(accessor, null, new Object()); // $hasOgnlInjection
+  }
+
+  @RequestMapping
+  public void testExpressionAccessorSetExpression(@RequestParam String expr) throws Exception {
+    Node tree = Ognl.compileExpression(null, new Object(), "\"some safe expression\".toString()");
+    ExpressionAccessor accessor = tree.getAccessor();
+    Node taintedTree = Ognl.compileExpression(null, new Object(), expr);
+    accessor.setExpression(taintedTree);
+    accessor.get(null, new Object()); // $hasOgnlInjection
+    accessor.set(null, new Object(), new Object()); // $hasOgnlInjection
+
+    Ognl.getValue(accessor, null, new Object()); // $hasOgnlInjection
+    Ognl.setValue(accessor, null, new Object()); // $hasOgnlInjection
+  }
+}

java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql

@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.OgnlInjectionQuery
+import TestUtilities.InlineExpectationsTest
+
+class OgnlInjectionTest extends InlineExpectationsTest {
+  OgnlInjectionTest() { this = "HasOgnlInjection" }
+
+  override string getARelevantTag() { result = "hasOgnlInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasOgnlInjection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, OgnlInjectionFlowConfig conf |
+      conf.hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-917/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22