hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added tests for Jakarta expression injection

Browse Source
This commit is contained in:
Artem Smotrakov
2021-03-21 20:36:47 +03:00
parent 73e940de74
commit adb1ed380a
16 changed files with 223 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected Normal file
View File

@@ -0,0 +1,59 @@
edges
| JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:24:31:24:40 | expression : String |
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:30:24:30:33 | expression : String |
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:37:24:37:33 | expression : String |
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:44:24:44:33 | expression : String |
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:54:24:54:33 | expression : String |
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:61:24:61:33 | expression : String |
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:70:24:70:33 | expression : String |
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:79:24:79:33 | expression : String |
| JakartaExpressionInjection.java:30:24:30:33 | expression : String | JakartaExpressionInjection.java:32:28:32:37 | expression |
| JakartaExpressionInjection.java:37:24:37:33 | expression : String | JakartaExpressionInjection.java:39:32:39:41 | expression |
| JakartaExpressionInjection.java:44:24:44:33 | expression : String | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
| JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
| JakartaExpressionInjection.java:54:24:54:33 | expression : String | JakartaExpressionInjection.java:56:32:56:41 | expression |
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression |
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e |
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression |
| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:65:13:65:13 | e |
| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression |
| JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression |
| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e |
| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression |
| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:74:13:74:13 | e |
| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression |
| JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
| JakartaExpressionInjection.java:79:24:79:33 | expression : String | JakartaExpressionInjection.java:83:13:83:13 | e |
nodes
| JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | semmle.label | expression : String |
| JakartaExpressionInjection.java:30:24:30:33 | expression : String | semmle.label | expression : String |
| JakartaExpressionInjection.java:32:28:32:37 | expression | semmle.label | expression |
| JakartaExpressionInjection.java:37:24:37:33 | expression : String | semmle.label | expression : String |
| JakartaExpressionInjection.java:39:32:39:41 | expression | semmle.label | expression |
| JakartaExpressionInjection.java:44:24:44:33 | expression : String | semmle.label | expression : String |
| JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression | semmle.label | new LambdaExpression(...) : LambdaExpression |
| JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | semmle.label | lambdaExpression |
| JakartaExpressionInjection.java:54:24:54:33 | expression : String | semmle.label | expression : String |
| JakartaExpressionInjection.java:56:32:56:41 | expression | semmle.label | expression |
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | semmle.label | expression : String |
| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
| JakartaExpressionInjection.java:65:13:65:13 | e | semmle.label | e |
| JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression | semmle.label | e : ValueExpression |
| JakartaExpressionInjection.java:70:24:70:33 | expression : String | semmle.label | expression : String |
| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
| JakartaExpressionInjection.java:74:13:74:13 | e | semmle.label | e |
| JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression | semmle.label | e : ValueExpression |
| JakartaExpressionInjection.java:79:24:79:33 | expression : String | semmle.label | expression : String |
| JakartaExpressionInjection.java:83:13:83:13 | e | semmle.label | e |
#select
| JakartaExpressionInjection.java:32:28:32:37 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:32:28:32:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
| JakartaExpressionInjection.java:39:32:39:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:39:32:39:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
| JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
| JakartaExpressionInjection.java:56:32:56:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:56:32:56:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
| JakartaExpressionInjection.java:65:13:65:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:65:13:65:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
| JakartaExpressionInjection.java:74:13:74:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:74:13:74:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
| JakartaExpressionInjection.java:83:13:83:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:83:13:83:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |

87
java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java Normal file
View File

@@ -0,0 +1,87 @@
import java.io.IOException;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.ArrayList;
import java.util.function.Consumer;
import javax.el.ELContext;
import javax.el.ELManager;
import javax.el.ELProcessor;
import javax.el.ExpressionFactory;
import javax.el.LambdaExpression;
import javax.el.MethodExpression;
import javax.el.StandardELContext;
import javax.el.ValueExpression;
public class JakartaExpressionInjection {
private static void testWithSocket(Consumer<String> action) throws IOException {
try (ServerSocket serverSocket = new ServerSocket(0)) {
try (Socket socket = serverSocket.accept()) {
byte[] bytes = new byte[1024];
int n = socket.getInputStream().read(bytes);
String expression = new String(bytes, 0, n);
action.accept(expression);
}
}
}
private static void testWithELProcessorEval() throws IOException {
testWithSocket(expression -> {
ELProcessor processor = new ELProcessor();
processor.eval(expression);
});
}
private static void testWithELProcessorGetValue() throws IOException {
testWithSocket(expression -> {
ELProcessor processor = new ELProcessor();
processor.getValue(expression, Object.class);
});
}
private static void testWithLambdaExpressionInvoke() throws IOException {
testWithSocket(expression -> {
ExpressionFactory factory = ELManager.getExpressionFactory();
StandardELContext context = new StandardELContext(factory);
ValueExpression valueExpression = factory.createValueExpression(context, expression, Object.class);
LambdaExpression lambdaExpression = new LambdaExpression(new ArrayList<>(), valueExpression);
lambdaExpression.invoke(context, new Object[0]);
});
}
private static void testWithELProcessorSetValue() throws IOException {
testWithSocket(expression -> {
ELProcessor processor = new ELProcessor();
processor.setValue(expression, new Object());
});
}
private static void testWithJuelValueExpressionGetValue() throws IOException {
testWithSocket(expression -> {
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
ELContext context = new de.odysseus.el.util.SimpleContext();
ValueExpression e = factory.createValueExpression(context, expression, Object.class);
e.getValue(context);
});
}
private static void testWithJuelValueExpressionSetValue() throws IOException {
testWithSocket(expression -> {
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
ELContext context = new de.odysseus.el.util.SimpleContext();
ValueExpression e = factory.createValueExpression(context, expression, Object.class);
e.setValue(context, new Object());
});
}
private static void testWithJuelMethodExpressionInvoke() throws IOException {
testWithSocket(expression -> {
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();
ELContext context = new de.odysseus.el.util.SimpleContext();
MethodExpression e = factory.createMethodExpression(context, expression, Object.class, new Class[0]);
e.invoke(context, new Object[0]);
});
}
}

1
java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql

3
java/ql/test/experimental/query-tests/security/CWE-094/options
View File

@@ -1,2 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2

3
java/ql/test/stubs/java-ee-el/javax/el/ELContext.java Normal file
View File

@@ -0,0 +1,3 @@
package javax.el;
public class ELContext {}

5
java/ql/test/stubs/java-ee-el/javax/el/ELManager.java Normal file
View File

@@ -0,0 +1,5 @@
package javax.el;
public class ELManager {
public static ExpressionFactory getExpressionFactory() { return null; }
}

7
java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java Normal file
View File

@@ -0,0 +1,7 @@
package javax.el;
public class ELProcessor {
public Object eval(String expression) { return null; }
public Object getValue(String expression, Class<?> expectedType) { return null; }
public void setValue(String expression, Object value) {}
}

17
java/ql/test/stubs/java-ee-el/javax/el/ExpressionFactory.java Normal file
View File

@@ -0,0 +1,17 @@
package javax.el;
public class ExpressionFactory {
public MethodExpression createMethodExpression(ELContext context, String expression, Class<?> expectedReturnType,
Class<?>[] expectedParamTypes) {
return null;
}
public ValueExpression createValueExpression(ELContext context, String expression, Class<?> expectedType) {
return null;
}
public ValueExpression createValueExpression(Object instance, Class<?> expectedType) {
return null;
}
}

8
java/ql/test/stubs/java-ee-el/javax/el/LambdaExpression.java Normal file
View File

@@ -0,0 +1,8 @@
package javax.el;
import java.util.List;
public class LambdaExpression {
public LambdaExpression(List<String> formalParameters, ValueExpression expression) {}
public Object invoke(Object... args) { return null; }
}

5
java/ql/test/stubs/java-ee-el/javax/el/MethodExpression.java Normal file
View File

@@ -0,0 +1,5 @@
package javax.el;
public class MethodExpression {
public Object invoke(ELContext context, Object[] params) { return null; }
}

5
java/ql/test/stubs/java-ee-el/javax/el/StandardELContext.java Normal file
View File

@@ -0,0 +1,5 @@
package javax.el;
public class StandardELContext extends ELContext {
public StandardELContext(ExpressionFactory factory) {}
}

6
java/ql/test/stubs/java-ee-el/javax/el/ValueExpression.java Normal file
View File

@@ -0,0 +1,6 @@
package javax.el;
public class ValueExpression {
public Object getValue(ELContext context) { return null; }
public void setValue(ELContext context, Object value) {}
}

5
java/ql/test/stubs/juel-2.2/de/odysseus/el/ExpressionFactoryImpl.java Normal file
View File

@@ -0,0 +1,5 @@
package de.odysseus.el;
import javax.el.ExpressionFactory;
public class ExpressionFactoryImpl extends ExpressionFactory {}

5
java/ql/test/stubs/juel-2.2/de/odysseus/el/util/SimpleContext.java Normal file
View File

@@ -0,0 +1,5 @@
package de.odysseus.el.util;
import javax.el.ELContext;
public class SimpleContext extends ELContext {}