hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
alexet/avoid-path-node-java
codeql/java/ql/test/query-tests/security/CWE-917/OgnlInjection.java
Nora Dimitrijević 7f05b72e10 Java: convert OgnlInjection test to .qlref
2025-06-24 16:42:30 +02:00

74 lines
2.9 KiB
Java
Raw Permalink Blame History

import ognl.Node;
import ognl.Ognl;
import ognl.enhance.ExpressionAccessor;
import java.util.HashMap;
import com.opensymphony.xwork2.ognl.OgnlUtil;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class OgnlInjection {
@RequestMapping
public void testOgnlParseExpression(@RequestParam String expr) throws Exception { // $ Source
Object tree = Ognl.parseExpression(expr);
Ognl.getValue(tree, new HashMap<>(), new Object()); // $ Alert
Ognl.setValue(tree, new HashMap<>(), new Object()); // $ Alert
Node node = (Node) tree;
node.getValue(null, new Object()); // $ Alert
node.setValue(null, new Object(), new Object()); // $ Alert
}
@RequestMapping
public void testOgnlCompileExpression(@RequestParam String expr) throws Exception { // $ Source
Node tree = Ognl.compileExpression(null, new Object(), expr);
Ognl.getValue(tree, new HashMap<>(), new Object()); // $ Alert
Ognl.setValue(tree, new HashMap<>(), new Object()); // $ Alert
tree.getValue(null, new Object()); // $ Alert
tree.setValue(null, new Object(), new Object()); // $ Alert
}
@RequestMapping
public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception { // $ Source
Ognl.getValue(expr, new Object()); // $ Alert
Ognl.setValue(expr, new Object(), new Object()); // $ Alert
}
@RequestMapping
public void testStruts(@RequestParam String expr) throws Exception { // $ Source
OgnlUtil ognl = new OgnlUtil();
ognl.getValue(expr, new HashMap<>(), new Object()); // $ Alert
ognl.setValue(expr, new HashMap<>(), new Object(), new Object()); // $ Alert
new OgnlUtil().callMethod(expr, new HashMap<>(), new Object()); // $ Alert
}
@RequestMapping
public void testExpressionAccessor(@RequestParam String expr) throws Exception { // $ Source
Node tree = Ognl.compileExpression(null, new Object(), expr);
ExpressionAccessor accessor = tree.getAccessor();
accessor.get(null, new Object()); // $ Alert
accessor.set(null, new Object(), new Object()); // $ Alert
Ognl.getValue(accessor, null, new Object()); // $ Alert
Ognl.setValue(accessor, null, new Object()); // $ Alert
}
@RequestMapping
public void testExpressionAccessorSetExpression(@RequestParam String expr) throws Exception { // $ Source
Node tree = Ognl.compileExpression(null, new Object(), "\"some safe expression\".toString()");
ExpressionAccessor accessor = tree.getAccessor();
Node taintedTree = Ognl.compileExpression(null, new Object(), expr);
accessor.setExpression(taintedTree);
accessor.get(null, new Object()); // $ Alert
accessor.set(null, new Object(), new Object()); // $ Alert
Ognl.getValue(accessor, null, new Object()); // $ Alert
Ognl.setValue(accessor, null, new Object()); // $ Alert
}
}
Reference in New Issue View Git Blame Copy Permalink