Updated JexlInjection.ql to check for sandboxes

- Added a dataflow config to track setting a sandbox
  on JexlBuilder
- Added SandboxedJexl3.java test

java/ql/test/experimental/query-tests/security/CWE-094/SandboxedJexl3.java

@@ -0,0 +1,76 @@
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.security.AccessControlException;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.List;
+import java.util.function.Consumer;
+
+import org.apache.commons.jexl3.*;
+import org.apache.commons.jexl3.introspection.*;
+
+public class SandboxedJexl3 {
+
+    private static void runJexlExpressionWithSandbox(String jexlExpr) {
+        JexlSandbox sandbox = new JexlSandbox(false);
+        sandbox.white(SandboxedJexl3.class.getCanonicalName());
+        JexlEngine jexl = new JexlBuilder().sandbox(sandbox).create();
+        JexlExpression e = jexl.createExpression(jexlExpr);
+        JexlContext jc = new MapContext();
+        e.evaluate(jc);
+    }
+
+    private static void runJexlExpressionWithUberspectSandbox(String jexlExpr) {
+        JexlUberspect sandbox = new JexlUberspectSandbox();
+        JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
+        JexlExpression e = jexl.createExpression(jexlExpr);
+        JexlContext jc = new MapContext();
+        e.evaluate(jc);
+    }
+
+    private static JexlBuilder STATIC_JEXL_BUILDER;
+
+    static {
+        JexlSandbox sandbox = new JexlSandbox(false);
+        sandbox.white(SandboxedJexl3.class.getCanonicalName());
+        STATIC_JEXL_BUILDER = new JexlBuilder().sandbox(sandbox);
+    }
+
+    private static void runJexlExpressionViaJxltEngineWithSandbox(String jexlExpr) {
+        JexlEngine jexl = STATIC_JEXL_BUILDER.create();
+        JxltEngine jxlt = jexl.createJxltEngine();
+        jxlt.createExpression(jexlExpr).evaluate(new MapContext());
+    }
+
+    private static class JexlUberspectSandbox implements JexlUberspect {
+
+    }
+
+    private static void withSocket(Consumer<String> action) throws Exception {
+        try (ServerSocket serverSocket = new ServerSocket(0)) {
+            try (Socket socket = serverSocket.accept()) {
+                byte[] bytes = new byte[1024];
+                int n = socket.getInputStream().read(bytes);
+                String jexlExpr = new String(bytes, 0, n);
+                action.accept(jexlExpr);
+            }
+        }
+    }
+
+    // below are examples of safer Jexl usage
+
+    // with JexlSandbox
+    public static void saferJexlExpressionInSandbox() throws Exception {
+        withSocket(SandboxedJexl3::runJexlExpressionWithSandbox);
+    }
+
+    // with a custom sandbox implemented with JexlUberspect
+    public static void saferJexlExpressionInUberspectSandbox() throws Exception {
+        withSocket(SandboxedJexl3::runJexlExpressionWithUberspectSandbox);
+    }
+
+    // with JexlSandbox and JxltEngine
+    public static void saferJxltExpressionInSandbox() throws Exception {
+        withSocket(SandboxedJexl3::runJexlExpressionViaJxltEngineWithSandbox);
+    }
+}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlBuilder.java

@@ -1,8 +1,18 @@
 package org.apache.commons.jexl3;
 
+import org.apache.commons.jexl3.introspection.*;
+
 public class JexlBuilder {
 
     public JexlEngine create() {
         return null;
     }
+
+    public JexlBuilder sandbox(JexlSandbox sandbox) {
+        return null;
+    }
+
+    public JexlBuilder uberspect(JexlUberspect uberspect) {
+        return null;
+    }
 }

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/JexlEngine.java

@@ -1,5 +1,7 @@
 package org.apache.commons.jexl3;
 
+import org.apache.commons.jexl3.introspection.*;
+
 public abstract class JexlEngine {
 
     public JexlExpression createExpression(JexlInfo info, String expression) {
@@ -31,4 +33,8 @@ public abstract class JexlEngine {
     public Object getProperty(Object bean, String expr) {
         return null;
     }
+
+    public JexlUberspect getUberspect() {
+        return null;
+    }
 }

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/introspection/JexlSandbox.java

@@ -0,0 +1,16 @@
+package org.apache.commons.jexl3.introspection;
+
+public class JexlSandbox {
+    
+    public JexlSandbox() {}
+
+    public JexlSandbox(boolean wb) {}
+
+    public JexlSandbox.Permissions white(String clazz) {
+        return null;
+    }
+
+    public static final class Permissions {
+
+    }
+}

java/ql/test/stubs/apache-commons-jexl-3.1/org/apache/commons/jexl3/introspection/JexlUberspect.java

@@ -0,0 +1,37 @@
+package org.apache.commons.jexl3.introspection;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+public interface JexlUberspect {
+    /*
+    interface PropertyResolver {}
+
+    List<PropertyResolver> getResolvers(JexlOperator op, Object obj);
+
+    void setClassLoader(ClassLoader loader);
+
+    ClassLoader getClassLoader();
+
+    int getVersion();
+
+    JexlMethod getConstructor(Object ctorHandle, Object... args);
+
+    JexlMethod getMethod(Object obj, String method, Object... args);
+
+    JexlPropertyGet getPropertyGet(Object obj, Object identifier);
+
+    JexlPropertyGet getPropertyGet(List<PropertyResolver> resolvers, Object obj, Object identifier);
+
+    JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg);
+
+    JexlPropertySet getPropertySet(List<PropertyResolver> resolvers, Object obj, Object identifier, Object arg);
+
+    Iterator<?> getIterator(Object obj);
+
+    JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic);
+    */
+}