Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 99401f6

Browse files
artem-smotrakovartem-smotrakov
committed
Java: Query for detecting JEXL injections
1 parent 545451e commit 99401f6

25 files changed

Lines changed: 1211 additions & 1 deletion

java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.qhelp

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
2+
<qhelp>
3+
4+
<overview>
5+
<p>
6+
Java EXpression Language (JEXL) is a simple expression language
7+
provided by the Apache Commons JEXL library.
8+
The syntax is close to a mix of ECMAScript and shell-script.
9+
The language allows invocation of methods available in the JVM.
10+
If a JEXL expression is built using attacker-controlled data,
11+
and then evaluated, then it may allow the attacker to run arbitrary code.
12+
</p>
13+
</overview>
14+
15+
<recommendation>
16+
<p>
17+
Including user input in a JEXL expression should be avoided.
18+
</p>
19+
</recommendation>
20+
21+
<example>
22+
<p>
23+
The following example uses untrusted data to build and run a JEXL expression.
24+
</p>
25+
<sample src="UnsafeJexlExpressionEvaluation.java" />
26+
</example>
27+
28+
<references>
29+
<li>
30+
Apache Commons JEXL:
31+
<a href="https://commons.apache.org/proper/commons-jexl/">Project page</a>.
32+
</li>
33+
<li>
34+
Apache Commons JEXL documentation:
35+
<a href="https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/">JEXL 2.1.1 API</a>.
36+
</li>
37+
<li>
38+
Apache Commons JEXL documentation:
39+
<a href="https://commons.apache.org/proper/commons-jexl/apidocs/index.html">JEXL 3.1 API</a>.
40+
</li>
41+
<li>
42+
OWASP:
43+
<a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>.
44+
</li>
45+
</references>
46+
</qhelp>

java/ql/src/experimental/Security/CWE/CWE-094/JexlInjection.ql

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
/**
2+
* @name Expression language injection (Jexl)
3+
* @description Evaluation of a user-controlled Jexl expression
4+
* may lead to arbitrary code execution.
5+
* @kind path-problem
6+
* @problem.severity error
7+
* @precision high
8+
* @id java/jexl-expression-injection
9+
* @tags security
10+
* external/cwe/cwe-094
11+
*/
12+
13+
import java
14+
import JexlInjectionLib
15+
import DataFlow::PathGraph
16+
17+
from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
18+
where conf.hasFlowPath(source, sink)
19+
select sink.getNode(), source, sink, "Jexl injection from $@.", source.getNode(), "this user input"

0 commit comments

Comments
 (0)