add isAdditionalTaintStep

2026-02-10 12:11:07 +01:00 · 2021-05-26 17:48:10 +08:00
parent 921b8e80a2
commit ed0aabef46
5 changed files with 66 additions and 5 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.java
@@ -11,7 +11,7 @@ public class JShellInjection {
 	public void bad1(HttpServletRequest request) {
 		String input = request.getParameter("code");
 		JShell jShell = JShell.builder().build();
-    // BAD: allow execution of arbitrary Java code
+        // BAD: allow execution of arbitrary Java code
 		jShell.eval(input);
 	}

@@ -20,7 +20,21 @@ public class JShellInjection {
 		String input = request.getParameter("code");
 		JShell jShell = JShell.builder().build();
 		SourceCodeAnalysis sourceCodeAnalysis = jShell.sourceCodeAnalysis();
-    // BAD: allow execution of arbitrary Java code
+        // BAD: allow execution of arbitrary Java code
 		sourceCodeAnalysis.wrappers(input);
 	}
+
+	@GetMapping(value = "bad3")
+	public void bad3(HttpServletRequest request) {
+		String input = request.getParameter("code");
+		JShell jShell = JShell.builder().build();
+		SourceCodeAnalysis.CompletionInfo info;
+		SourceCodeAnalysis sca = jShell.sourceCodeAnalysis();
+		for (info = sca.analyzeCompletion(input);
+				info.completeness().isComplete();
+				info = sca.analyzeCompletion(info.remaining())) {
+			// BAD: allow execution of arbitrary Java code
+			jShell.eval(info.source());
+		}
+	}
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
@@ -21,6 +21,19 @@ class JShellInjectionConfiguration extends TaintTracking::Configuration {
  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("analyzeCompletion") and
+      ma.getMethod().getNumberOfParameters() = 1 and
+      ma.getMethod()
+          .getDeclaringType()
+          .getASupertype*()
+          .hasQualifiedName("jdk.jshell", "SourceCodeAnalysis") and
+      ma.getArgument(0) = prod.asExpr() and
+      ma = succ.asExpr()
+    )
+  }
 }

 from DataFlow::PathNode source, DataFlow::PathNode sink, JShellInjectionConfiguration conf
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.qll
@@ -4,8 +4,24 @@ import semmle.code.java.dataflow.FlowSources
 /** A sink for JShell expression injection vulnerabilities. */
 class JShellInjectionSink extends DataFlow::Node {
  JShellInjectionSink() {
-    this.asExpr() = any(JShellEvalCall jsec).getArgument(0) or
+    this.asExpr() = any(JShellEvalCall jsec).getArgument(0)
+    or
    this.asExpr() = any(SourceCodeAnalysisWrappersCall scawc).getArgument(0)
+    or
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("source") and
+      ma.getMethod().getNumberOfParameters() = 0 and
+      ma.getMethod()
+          .getDeclaringType()
+          .getASupertype*()
+          .hasQualifiedName("jdk.jshell", "SourceCodeAnalysis$CompletionInfo") and
+      ma.getQualifier() = this.asExpr() and
+      (
+        ma = any(JShellEvalCall jsec).getArgument(0)
+        or
+        ma = any(SourceCodeAnalysisWrappersCall scawc).getArgument(0)
+      )
+    )
  }
 }