hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Split qhelp files

Browse Source
This commit is contained in:
Artem Smotrakov
2021-03-10 10:38:08 +03:00
parent a78f2115f2
commit df60268023
6 changed files with 117 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.qhelp
View File

@@ -1,82 +1,8 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
The Spring Framework provides an abstract base class <code>RemoteInvocationSerializingExporter</code>
for creating remote service exporters.
A Spring exporter, which is based on this class, deserializes incoming data using <code>ObjectInputStream</code>.
Deserializing untrusted data is easily exploitable and in many cases allows an attacker
to execute arbitrary code.
</p>
<p>
The Spring Framework also provides two classes that extend <code>RemoteInvocationSerializingExporter</code>:
<li>
<code>HttpInvokerServiceExporter</code>
</li>
<li>
<code>SimpleHttpInvokerServiceExporter</code>
</li>
</p>
<p>
These classes export specified beans as HTTP endpoints that deserialize data from an HTTP request
using unsafe <code>ObjectInputStream</code>. If a remote attacker can reach such endpoints,
it results in remote code execution in the worst case.
</p>
<p>
CVE-2016-1000027 has been assigned to this issue in the Spring Framework.
It is regarded as a design limitation, and can be mitigated but not fixed outright.
</p>
</overview>
<recommendation>
<p>
Avoid using <code>HttpInvokerServiceExporter</code>, <code>SimpleHttpInvokerServiceExporter</code>
and any other exporter that is based on <code>RemoteInvocationSerializingExporter</code>.
Instead, use other message formats for API endpoints (for example, JSON),
but make sure that the underlying deserialization mechanism is properly configured
so that deserialization attacks are not possible. If the vulnerable exporters can not be replaced,
consider using global deserialization filters introduced in JEP 290.
</p>
</recommendation>
<example>
<p>
The following example shows how a vulnerable HTTP endpoint can be defined
using <code>HttpInvokerServiceExporter</code> and Spring annotations:
</p>
<sample src="SpringExporterUnsafeDeserialization.java" />
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>.
</li>
<li>
Spring Framework API documentation:
<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.html">RemoteInvocationSerializingExporter class</a>
</li>
<li>
Spring Framework API documentation:
<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.html">HttpInvokerServiceExporter class</a>
</li>
<li>
National Vulnerability Database:
<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000027">CVE-2016-1000027</a>
</li>
<li>
Tenable Research Advisory:
<a href="https://www.tenable.com/security/research/tra-2016-20">[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization</a>
</li>
<li>
Spring Framework bug tracker:
<a href="https://github.com/spring-projects/spring-framework/issues/24434">Sonatype vulnerability CVE-2016-1000027 in Spring-web project</a>
</li>
<li>
OpenJDK:
<a href="https://openjdk.java.net/jeps/290">JEP 290: Filter Incoming Serialization Data</a>
</li>
</references>
<include src="UnsafeSpringExporterQuery.inc.qhelp" />
<include src="UnsafeSpringExporterInConfigurationClassExample.inc.qhelp" />
<include src="UnsafeSpringExporterReferences.inc.qhelp" />
</qhelp>

14
java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClassExample.inc.qhelp Normal file
View File

@@ -0,0 +1,14 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<example>
<p>
The following example shows how a vulnerable HTTP endpoint can be defined
using <code>HttpInvokerServiceExporter</code> and Spring annotations:
</p>
<sample src="SpringExporterUnsafeDeserialization.java" />
</example>
</qhelp>

85
java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.qhelp
View File

@@ -1,81 +1,8 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
The Spring Framework provides an abstract base class <code>RemoteInvocationSerializingExporter</code>
for creating remote service exporters.
A Spring exporter, which is based on this class, deserializes incoming data using <code>ObjectInputStream</code>.
Deserializing untrusted data is easily exploitable and in many cases allows an attacker
to execute arbitrary code.
</p>
<p>
The Spring Framework also provides two classes that extend <code>RemoteInvocationSerializingExporter</code>:
<li>
<code>HttpInvokerServiceExporter</code>
</li>
<li>
<code>SimpleHttpInvokerServiceExporter</code>
</li>
</p>
<p>
These classes export specified beans as HTTP endpoints that deserialize data from an HTTP request
using unsafe <code>ObjectInputStream</code>. If a remote attacker can reach such endpoints,
it results in remote code execution in the worst case.
</p>
<p>
CVE-2016-1000027 has been assigned to this issue in the Spring Framework.
It is regarded as a design limitation, and can be mitigated but not fixed outright.
</p>
</overview>
<recommendation>
<p>
Avoid using <code>HttpInvokerServiceExporter</code>, <code>SimpleHttpInvokerServiceExporter</code>
and any other exporter that is based on <code>RemoteInvocationSerializingExporter</code>.
Instead, use other message formats for API endpoints (for example, JSON),
but make sure that the underlying deserialization mechanism is properly configured
so that deserialization attacks are not possible. If the vulnerable exporters can not be replaced,
consider using global deserialization filters introduced in JEP 290.
</p>
</recommendation>
<example>
<p>
The following examples shows how a vulnerable HTTP endpoint can be defined in a Spring XML config:
</p>
<sample src="SpringExporterUnsafeDeserialization.xml" />
</example>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>.
</li>
<li>
Spring Framework API documentation:
<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.html">RemoteInvocationSerializingExporter class</a>
</li>
<li>
Spring Framework API documentation:
<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.html">HttpInvokerServiceExporter class</a>
</li>
<li>
National Vulnerability Database:
<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000027">CVE-2016-1000027</a>
</li>
<li>
Tenable Research Advisory:
<a href="https://www.tenable.com/security/research/tra-2016-20">[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization</a>
</li>
<li>
Spring Framework bug tracker:
<a href="https://github.com/spring-projects/spring-framework/issues/24434">Sonatype vulnerability CVE-2016-1000027 in Spring-web project</a>
</li>
<li>
OpenJDK:
<a href="https://openjdk.java.net/jeps/290">JEP 290: Filter Incoming Serialization Data</a>
</li>
</references>
<include src="UnsafeSpringExporterQuery.inc.qhelp" />
<include src="UnsafeSpringExporterInXMLConfigurationExample.inc.qhelp" />
<include src="UnsafeSpringExporterReferences.inc.qhelp" />
</qhelp>

13
java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfigurationExample.inc.qhelp Normal file
View File

@@ -0,0 +1,13 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<example>
<p>
The following examples shows how a vulnerable HTTP endpoint can be defined in a Spring XML config:
</p>
<sample src="SpringExporterUnsafeDeserialization.xml" />
</example>
</qhelp>

41
java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterQuery.inc.qhelp Normal file
View File

@@ -0,0 +1,41 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
The Spring Framework provides an abstract base class <code>RemoteInvocationSerializingExporter</code>
for creating remote service exporters.
A Spring exporter, which is based on this class, deserializes incoming data using <code>ObjectInputStream</code>.
Deserializing untrusted data is easily exploitable and in many cases allows an attacker
to execute arbitrary code.
</p>
<p>
The Spring Framework also provides <code>HttpInvokerServiceExporter</code>
and <code>SimpleHttpInvokerServiceExporter</code> classes
that extend <code>RemoteInvocationSerializingExporter</code>.
</p>
<p>
These classes export specified beans as HTTP endpoints that deserialize data from an HTTP request
using unsafe <code>ObjectInputStream</code>. If a remote attacker can reach such endpoints,
it results in remote code execution in the worst case.
</p>
<p>
CVE-2016-1000027 has been assigned to this issue in the Spring Framework.
It is regarded as a design limitation, and can be mitigated but not fixed outright.
</p>
</overview>
<recommendation>
<p>
Avoid using <code>HttpInvokerServiceExporter</code>, <code>SimpleHttpInvokerServiceExporter</code>
and any other exporter that is based on <code>RemoteInvocationSerializingExporter</code>.
Instead, use other message formats for API endpoints (for example, JSON),
but make sure that the underlying deserialization mechanism is properly configured
so that deserialization attacks are not possible. If the vulnerable exporters can not be replaced,
consider using global deserialization filters introduced in JEP 290.
</p>
</recommendation>
</qhelp>

37
java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterReferences.inc.qhelp Normal file
View File

@@ -0,0 +1,37 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<references>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>.
</li>
<li>
Spring Framework API documentation:
<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.html">RemoteInvocationSerializingExporter class</a>
</li>
<li>
Spring Framework API documentation:
<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.html">HttpInvokerServiceExporter class</a>
</li>
<li>
National Vulnerability Database:
<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000027">CVE-2016-1000027</a>
</li>
<li>
Tenable Research Advisory:
<a href="https://www.tenable.com/security/research/tra-2016-20">[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization</a>
</li>
<li>
Spring Framework bug tracker:
<a href="https://github.com/spring-projects/spring-framework/issues/24434">Sonatype vulnerability CVE-2016-1000027 in Spring-web project</a>
</li>
<li>
OpenJDK:
<a href="https://openjdk.java.net/jeps/290">JEP 290: Filter Incoming Serialization Data</a>
</li>
</references>
</qhelp>