hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-11 20:51:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improved JexlInjection.qhelp

Browse Source
This commit is contained in:
Artem Smotrakov
2021-03-02 21:25:26 +01:00
parent 6b66323ac3
commit c243f2f042
1 changed files with 1 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp
View File

@@ -31,15 +31,13 @@ The next example shows how an untrusted JEXL expression can be run
in a sandbox that allows accessing only methods in the <code>java.lang.Math</code> class.
The sandbox is implemented using <code>JexlSandbox</code> class that is provided by
Apache Commons JEXL 3.
However, it's recommended to avoid using untrusted input in JEXL expressions.
</p>
<sample src="SaferJexlExpressionEvaluationWithSandbox.java" />
<p>
The next example shows another way how a sandbox can be implemented.
It uses a custom implememtation of <code>JexlUberspect</code>
It uses a custom implementation of <code>JexlUberspect</code>
that checks if callees are instances of allowed classes.
Again, it's recommended to avoid using untrusted input in JEXL expressions.
</p>
<sample src="SaferJexlExpressionEvaluationWithUberspectSandbox.java" />
</example>