Merge pull request #3291 from artem-smotrakov/spel-injection

Java: Add a query for SpEL injections

java/ql/test/experimental/Security/CWE/CWE-094/SpelInjection.expected

@@ -0,0 +1,27 @@
+edges
+| SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:23:5:23:14 | expression |
+| SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | SpelInjection.java:34:5:34:14 | expression |
+| SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | SpelInjection.java:48:5:48:14 | expression |
+| SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | SpelInjection.java:59:5:59:14 | expression |
+| SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | SpelInjection.java:70:5:70:14 | expression |
+| SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | SpelInjection.java:83:5:83:14 | expression |
+nodes
+| SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:23:5:23:14 | expression | semmle.label | expression |
+| SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:34:5:34:14 | expression | semmle.label | expression |
+| SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:48:5:48:14 | expression | semmle.label | expression |
+| SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:59:5:59:14 | expression | semmle.label | expression |
+| SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:70:5:70:14 | expression | semmle.label | expression |
+| SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SpelInjection.java:83:5:83:14 | expression | semmle.label | expression |
+#select
+| SpelInjection.java:23:5:23:14 | expression | SpelInjection.java:15:22:15:44 | getInputStream(...) : InputStream | SpelInjection.java:23:5:23:14 | expression | SpEL injection from $@. | SpelInjection.java:15:22:15:44 | getInputStream(...) | this user input |
+| SpelInjection.java:34:5:34:14 | expression | SpelInjection.java:27:22:27:44 | getInputStream(...) : InputStream | SpelInjection.java:34:5:34:14 | expression | SpEL injection from $@. | SpelInjection.java:27:22:27:44 | getInputStream(...) | this user input |
+| SpelInjection.java:48:5:48:14 | expression | SpelInjection.java:38:22:38:44 | getInputStream(...) : InputStream | SpelInjection.java:48:5:48:14 | expression | SpEL injection from $@. | SpelInjection.java:38:22:38:44 | getInputStream(...) | this user input |
+| SpelInjection.java:59:5:59:14 | expression | SpelInjection.java:52:22:52:44 | getInputStream(...) : InputStream | SpelInjection.java:59:5:59:14 | expression | SpEL injection from $@. | SpelInjection.java:52:22:52:44 | getInputStream(...) | this user input |
+| SpelInjection.java:70:5:70:14 | expression | SpelInjection.java:63:22:63:44 | getInputStream(...) : InputStream | SpelInjection.java:70:5:70:14 | expression | SpEL injection from $@. | SpelInjection.java:63:22:63:44 | getInputStream(...) | this user input |
+| SpelInjection.java:83:5:83:14 | expression | SpelInjection.java:74:22:74:44 | getInputStream(...) : InputStream | SpelInjection.java:83:5:83:14 | expression | SpEL injection from $@. | SpelInjection.java:74:22:74:44 | getInputStream(...) | this user input |

java/ql/test/experimental/Security/CWE/CWE-094/SpelInjection.java

@@ -0,0 +1,100 @@
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.Socket;
+import org.springframework.expression.Expression;
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.SimpleEvaluationContext;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
+
+public class SpelInjection {
+
+  private static final ExpressionParser PARSER = new SpelExpressionParser();
+
+  public void testGetValue(Socket socket) throws IOException {
+    InputStream in = socket.getInputStream();
+
+    byte[] bytes = new byte[1024];
+    int n = in.read(bytes);
+    String input = new String(bytes, 0, n);
+
+    ExpressionParser parser = new SpelExpressionParser();
+    Expression expression = parser.parseExpression(input);
+    expression.getValue();
+  }
+
+  public void testGetValueWithChainedCalls(Socket socket) throws IOException {
+    InputStream in = socket.getInputStream();
+
+    byte[] bytes = new byte[1024];
+    int n = in.read(bytes);
+    String input = new String(bytes, 0, n);
+
+    Expression expression = new SpelExpressionParser().parseExpression(input);
+    expression.getValue();
+  }
+
+  public void testSetValueWithRootObject(Socket socket) throws IOException {
+    InputStream in = socket.getInputStream();
+
+    byte[] bytes = new byte[1024];
+    int n = in.read(bytes);
+    String input = new String(bytes, 0, n);
+
+    Expression expression = new SpelExpressionParser().parseExpression(input);
+
+    Object root = new Object();
+    Object value = new Object();
+    expression.setValue(root, value);
+  }
+
+  public void testGetValueWithStaticParser(Socket socket) throws IOException {
+    InputStream in = socket.getInputStream();
+
+    byte[] bytes = new byte[1024];
+    int n = in.read(bytes);
+    String input = new String(bytes, 0, n);
+
+    Expression expression = PARSER.parseExpression(input);
+    expression.getValue();
+  }
+
+  public void testGetValueType(Socket socket) throws IOException {
+    InputStream in = socket.getInputStream();
+
+    byte[] bytes = new byte[1024];
+    int n = in.read(bytes);
+    String input = new String(bytes, 0, n);
+
+    Expression expression = PARSER.parseExpression(input);
+    expression.getValueType();
+  }
+
+  public void testWithStandardEvaluationContext(Socket socket) throws IOException {
+    InputStream in = socket.getInputStream();
+
+    byte[] bytes = new byte[1024];
+    int n = in.read(bytes);
+    String input = new String(bytes, 0, n);
+
+    Expression expression = PARSER.parseExpression(input);
+
+    StandardEvaluationContext context = new StandardEvaluationContext();
+    expression.getValue(context);
+  }
+
+  public void testWithSimpleEvaluationContext(Socket socket) throws IOException {
+    InputStream in = socket.getInputStream();
+
+    byte[] bytes = new byte[1024];
+    int n = in.read(bytes);
+    String input = new String(bytes, 0, n);
+
+    Expression expression = PARSER.parseExpression(input);
+    SimpleEvaluationContext context = SimpleEvaluationContext.forReadWriteDataBinding().build();
+
+    // the expression is evaluated in a limited context
+    expression.getValue(context);
+  }
+
+}

java/ql/test/experimental/Security/CWE/CWE-094/SpelInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/SpelInjection.ql

java/ql/test/experimental/Security/CWE/CWE-094/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3

java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/EvaluationContext.java

@@ -0,0 +1,3 @@
+package org.springframework.expression;
+
+public interface EvaluationContext {}

java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/EvaluationException.java

@@ -0,0 +1,3 @@
+package org.springframework.expression;
+
+public class EvaluationException extends RuntimeException {}

java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/Expression.java

@@ -0,0 +1,14 @@
+package org.springframework.expression;
+
+public interface Expression {
+
+	Object getValue() throws EvaluationException;
+
+	Object getValue(EvaluationContext context) throws EvaluationException;
+
+	Class<?> getValueType() throws EvaluationException;
+
+	Class<?> getValueType(EvaluationContext context) throws EvaluationException;
+
+	void setValue(Object rootObject, Object value) throws EvaluationException;
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/ExpressionParser.java

@@ -0,0 +1,6 @@
+package org.springframework.expression;
+
+public interface ExpressionParser {
+
+    Expression parseExpression(String string);
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/spel/standard/SpelExpressionParser.java

@@ -0,0 +1,10 @@
+package org.springframework.expression.spel.standard;
+
+import org.springframework.expression.*;
+
+public class SpelExpressionParser implements ExpressionParser {
+
+    public SpelExpressionParser() {}
+    
+    public Expression parseExpression(String string) { return null; }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/spel/support/SimpleEvaluationContext.java

@@ -0,0 +1,13 @@
+
+package org.springframework.expression.spel.support;
+
+import org.springframework.expression.*;
+
+public class SimpleEvaluationContext implements EvaluationContext {
+
+    public static Builder forReadWriteDataBinding() { return null; }
+    
+    public static class Builder {
+        public SimpleEvaluationContext build() { return null; }
+    }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/expression/spel/support/StandardEvaluationContext.java

@@ -0,0 +1,5 @@
+package org.springframework.expression.spel.support;
+
+import org.springframework.expression.*;
+
+public class StandardEvaluationContext implements EvaluationContext {}