Added examples of a sandbox for JEXL expressions

java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp

@@ -14,7 +14,9 @@ and then evaluated, then it may allow the attacker to run arbitrary code.
 
 <recommendation>
 <p>
-Including user input in a JEXL expression should be avoided.
+Including untrusted input in a JEXL expression should be avoided. If it is not possible,
+JEXL expressions should be run in a sandbox that allows accessing only
+explicitly allowed classes.
 </p>
 </recommendation>
 
@@ -23,6 +25,23 @@ Including user input in a JEXL expression should be avoided.
 The following example uses untrusted data to build and run a JEXL expression.
 </p>
 <sample src="UnsafeJexlExpressionEvaluation.java" />
+
+<p>
+The next example shows how an untrusted JEXL expression can be run
+in a sandbox that allows accessing only methods in the `java.lang.Math` class.
+The sandbox is implemented using `JexlSandbox` class that is provided by
+Apache Commons JEXL 3.
+However, it's recommended to avoid using untrusted input in JEXL expressions.
+</p>
+<sample src="SaferJexlExpressionEvaluationWithSandbox.java" />
+
+<p>
+The next example shows another way how a sandbox can be implemented.
+It uses a custom implememtation of `JexlUberspect`
+that checks if callees are instances of allowed classes.
+Again, it's recommended to avoid using untrusted input in JEXL expressions.
+</p>
+<sample src="SaferJexlExpressionEvaluationWithUberspectSandbox.java" />
 </example>
 
 <references>

java/ql/src/experimental/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java

@@ -0,0 +1,14 @@
+public void evaluate(Socket socket) throws IOException {
+  try (BufferedReader reader = new BufferedReader(
+        new InputStreamReader(socket.getInputStream()))) {
+    
+    JexlSandbox onlyMath = new JexlSandbox(false);
+    onlyMath.white("java.lang.Math");
+    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();
+      
+    String input = reader.readLine();
+    JexlExpression expression = jexl.createExpression(input);
+    JexlContext context = new MapContext();
+    expression.evaluate(context);
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithUberspectSandbox.java

@@ -0,0 +1,90 @@
+public void evaluate(Socket socket) throws IOException {
+  try (BufferedReader reader = new BufferedReader(
+        new InputStreamReader(socket.getInputStream()))) {
+    
+    JexlUberspect sandbox = new JexlUberspectSandbox();
+    JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
+      
+    String input = reader.readLine();
+    JexlExpression expression = jexl.createExpression(input);
+    JexlContext context = new MapContext();
+    expression.evaluate(context);
+  }
+
+  private static class JexlUberspectSandbox implements JexlUberspect {
+
+    private static final List<String> ALLOWED_CLASSES =
+              Arrays.asList("java.lang.Math", "java.util.Random");
+
+    private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();
+
+    private void checkAccess(Object obj) {
+      if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {
+        throw new AccessControlException("Not allowed");
+      }
+    }
+
+    @Override
+    public JexlMethod getMethod(Object obj, String method, Object... args) {
+      checkAccess(obj);
+      return uberspect.getMethod(obj, method, args);
+    }
+
+    @Override
+    public List<PropertyResolver> getResolvers(JexlOperator op, Object obj) {
+      checkAccess(obj);
+      return uberspect.getResolvers(op, obj);
+    }
+
+    @Override
+    public void setClassLoader(ClassLoader loader) {
+      uberspect.setClassLoader(loader);
+    }
+
+    @Override
+    public int getVersion() {
+      return uberspect.getVersion();
+    }
+
+    @Override
+    public JexlMethod getConstructor(Object obj, Object... args) {
+      checkAccess(obj);
+      return uberspect.getConstructor(obj, args);
+    }
+
+    @Override
+    public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {
+      checkAccess(obj);
+      return uberspect.getPropertyGet(obj, identifier);
+    }
+
+    @Override
+    public JexlPropertyGet getPropertyGet(List<PropertyResolver> resolvers, Object obj, Object identifier) {
+      checkAccess(obj);
+      return uberspect.getPropertyGet(resolvers, obj, identifier);
+    }
+
+    @Override
+    public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {
+      checkAccess(obj);
+      return uberspect.getPropertySet(obj, identifier, arg);
+    }
+
+    @Override
+    public JexlPropertySet getPropertySet(List<PropertyResolver> resolvers, Object obj, Object identifier, Object arg) {
+      checkAccess(obj);
+      return uberspect.getPropertySet(resolvers, obj, identifier, arg);
+    }
+
+    @Override
+    public Iterator<?> getIterator(Object obj) {
+      checkAccess(obj);
+      return uberspect.getIterator(obj);
+    }
+
+    @Override
+    public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {
+      return uberspect.getArithmetic(arithmetic);
+    } 
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java

@@ -1,11 +1,11 @@
 public void evaluate(Socket socket) throws IOException {
-    try (BufferedReader reader = new BufferedReader(
+  try (BufferedReader reader = new BufferedReader(
         new InputStreamReader(socket.getInputStream()))) {
     
-      String input = reader.readLine();
-      JexlEngine jexl = new JexlBuilder().create();
-      JexlExpression expression = jexl.createExpression(input);
-      JexlContext context = new MapContext();
-      expression.evaluate(context);
-    }
+    String input = reader.readLine();
+    JexlEngine jexl = new JexlBuilder().create();
+    JexlExpression expression = jexl.createExpression(input);
+    JexlContext context = new MapContext();
+    expression.evaluate(context);
+  }
 }