hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Added MVELRuntime.execute() sink for MVEL injections

Browse Source
This commit is contained in:
Artem Smotrakov
2020-05-01 17:02:15 +02:00
parent fa717b2d86
commit df9d10f2ac
4 changed files with 89 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
java/ql/src/experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
View File

@@ -56,6 +56,11 @@ class MvelEvaluationSink extends DataFlow::ExprNode {
) and
(ma = asExpr() or ma.getQualifier() = asExpr())
)
or
exists(StaticMethodAccess ma, Method m | m = ma.getMethod() |
m instanceof MvelRuntimeEvaluationMethod and
ma.getArgument(1) = asExpr()
)
}
}
@@ -308,6 +313,16 @@ class MvelCompiledScriptEvaluationMethod extends Method {
}
}
/**
* Methods in `MVELRuntime` that evaluate a MVEL expression.
*/
class MvelRuntimeEvaluationMethod extends Method {
MvelRuntimeEvaluationMethod() {
getDeclaringType() instanceof MVELRuntime and
hasName("execute")
}
}
class MVEL extends RefType {
MVEL() { hasQualifiedName("org.mvel2", "MVEL") }
}
@@ -351,3 +366,7 @@ class TemplateRuntime extends RefType {
class TemplateCompiler extends RefType {
TemplateCompiler() { hasQualifiedName("org.mvel2.templates", "TemplateCompiler") }
}
class MVELRuntime extends RefType {
MVELRuntime() { hasQualifiedName("org.mvel2", "MVELRuntime") }
}