Uncaught Servlet Exception

luchua-bc · luchua-bc · commit ede9cec4a991 · 2020-06-29T20:07:53.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.java b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.java
@@ -0,0 +1,38 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+class UncaughtServletException extends HttpServlet {
+    // BAD: Uncaught exceptions
+    {
+        public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+            String ip = request.getParameter("srcIP");
+            InetAddress addr = InetAddress.getByName(ip); //BAD: getByName(String) throws UnknownHostException.
+
+            String username = request.getRemoteUser();
+            Integer.parseInt(username); //BAD: Integer.parse(String) throws RuntimeException.
+        }
+    }
+
+    // GOOD
+    {
+        public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+            try {
+                String ip = request.getParameter("srcIP");
+                InetAddress addr = InetAddress.getByName(ip);
+            } catch (UnknownHostException uhex) {  //GOOD: Catch the subclass exception UnknownHostException of IOException.
+                uhex.printStackTrace();
+            }
+        }
+    }
+
+    // GOOD
+    {
+        public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		    String ip = "10.100.10.81";
+            InetAddress addr = InetAddress.getByName(ip); // OK: Hard-coded variable value or system property is not controlled by attacker.
+        }
+	}
+
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp
@@ -0,0 +1,33 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+Even though the signatures for methods in a servlet include throws IOException, ServletException, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in a vulnerable state, possibly resulting in denial-of-service attacks, or the exposure of sensitive information because when a servlet throws an exception, the servlet container typically sends debugging information back to the user. And that information could be very valuable to an attacker.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Handle method calls that throw IOExceptions and/or RuntimeExceptions and display custom error messages without stack traces and sensitive information.
+</p>
+</recommendation>
+
+<example>
+<p>
+In the first and second examples, subclasses of IOException and RuntimeException are not caught, which disclose stack traces. 
+</p>
+
+<p>
+In the third example, the code catches the exception. In the fourth example, the code is not of concern since the variable cannot be controlled by attackers thus no unexpected exceptions can be thrown.
+</p>
+<sample src="UncaughtServletException.java" />
+</example>
+
+<references>
+<li>CWE: <a href="https://cwe.mitre.org/data/definitions/600.html">CWE-600: Uncaught Exception in Servlet</a>.</li>
+<li>Sonarsource: <a href="https://rules.sonarsource.com/java/tag/owasp/RSPEC-1989">Exceptions should not be thrown from servlet methods</a>.</li>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html">Error Handling Cheat Sheet</a>.</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
@@ -0,0 +1,79 @@
+/**
+ * @name Uncaught Servlet Exception
+ * @description Uncaught exceptions in a servlet could leave a system in a vulnerable state, possibly resulting in denial-of-service attacks or the exposure of sensitive information disclosed in stack traces.
+ * @kind path-problem
+ * @id java/uncaught-servlet-exception
+ * @tags security
+ *       external/cwe-600
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.Servlets
+import DataFlow::PathGraph
+
+/** The type `java.io.IOException`. */
+class IOException extends RefType {
+  IOException() { this.hasQualifiedName("java.io", "IOException") }
+}
+
+/** Check whether a given exception type is caught. */
+private predicate catchesEx(TryStmt t, RefType exType) {
+  exists(CatchClause cc, LocalVariableDeclExpr v |
+    t.getACatchClause() = cc and
+    cc.getVariable() = v and
+    v
+        .getType()
+        .(RefType)
+        .getASubtype*()
+        .hasQualifiedName(exType.getPackage().getName(), exType.getName()) //Detect the case that a subclass exception is thrown but its parent class is declared in the catch clause.
+  )
+}
+
+/** Servlet methods of `javax.servlet.http.HttpServlet`. */
+private predicate isServletMethod(Callable c) {
+  c.getDeclaringType() instanceof ServletClass and
+  c.getNumberOfParameters() = 2 and
+  c.getParameter(1).getType() instanceof HttpServletResponse and
+  (
+    c.getName() = "doGet" or
+    c.getName() = "doPost" or
+    c.getName() = "doPut" or
+    c.getName() = "doDelete"
+  )
+}
+
+/** Sink of uncaught IO exceptions or runtime exceptions since other exception types must be explicitly caught. */
+class UncaughtServletExceptionSink extends DataFlow::ExprNode {
+  UncaughtServletExceptionSink() {
+    exists(Method m, MethodAccess ma | ma.getMethod() = m |
+    isServletMethod(ma.getEnclosingCallable()) and
+    (
+        m.getAThrownExceptionType().getASupertype*() instanceof IOException or
+        m
+            .getAThrownExceptionType()
+            .getASupertype*()
+            .hasQualifiedName("java.lang", "RuntimeException")
+      ) and
+      ma.getAnArgument() = this.getExpr() and
+      not exists(TryStmt t |
+        t.getBlock() = ma.getEnclosingStmt().getEnclosingStmt*() and
+        catchesEx(t, m.getAThrownExceptionType())
+      )
+    )
+  }
+}
+
+class UncaughtServletExceptionConfiguration extends TaintTracking::Configuration {
+  UncaughtServletExceptionConfiguration() { this = "UncaughtServletException" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UncaughtServletExceptionSink }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, UncaughtServletExceptionConfiguration c
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ flows to here and can throw uncaught exception.",
+  source.getNode(), "User-provided value"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected
@@ -0,0 +1,11 @@
+edges
+| UncaughtServletException.java:12:15:12:43 | getParameter(...) : String | UncaughtServletException.java:13:44:13:45 | ip |
+| UncaughtServletException.java:15:19:15:41 | getRemoteUser(...) : String | UncaughtServletException.java:16:20:16:25 | userId |
+nodes
+| UncaughtServletException.java:12:15:12:43 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UncaughtServletException.java:13:44:13:45 | ip | semmle.label | ip |
+| UncaughtServletException.java:15:19:15:41 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
+| UncaughtServletException.java:16:20:16:25 | userId | semmle.label | userId |
+#select
+| UncaughtServletException.java:13:44:13:45 | ip | UncaughtServletException.java:12:15:12:43 | getParameter(...) : String | UncaughtServletException.java:13:44:13:45 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:12:15:12:43 | getParameter(...) | User-provided value |
+| UncaughtServletException.java:16:20:16:25 | userId | UncaughtServletException.java:15:19:15:41 | getRemoteUser(...) : String | UncaughtServletException.java:16:20:16:25 | userId | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:15:19:15:41 | getRemoteUser(...) | User-provided value |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java
@@ -0,0 +1,32 @@
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+class UncaughtServletException extends HttpServlet {
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String ip = request.getParameter("srcIP");
+		InetAddress addr = InetAddress.getByName(ip); // BAD: getByName(String) throws UnknownHostException
+
+		String userId = request.getRemoteUser();
+		Integer.parseInt(userId); //BAD: Integer.parse(String) throws RuntimeException
+	}
+
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			uhex.printStackTrace();
+		}}
+
+	public void doPut(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String ip = "10.100.10.81";
+		InetAddress addr = InetAddress.getByName(ip); // GOOD: hard-coded variable value or system property not controlled by attacker
+	}
+
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.qlref b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-600/UncaughtServletException.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/options b/java/ql/test/experimental/query-tests/security/CWE-600/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
diff --git a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/GenericServlet.java b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/GenericServlet.java
diff --git a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/HttpServlet.java b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/HttpServlet.java

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE/CWE-600/UncaughtServletException.ql`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4`