Skip to content

Commit 61c4f0b

Browse files
artem-smotrakovartem-smotrakov
committed
Added setVariable() and defineFunction() sinks
1 parent a764a79 commit 61c4f0b

4 files changed

Lines changed: 54 additions & 13 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,15 @@ private class ExpressionEvaluationSink extends DataFlow::ExprNode {
4444
m.getDeclaringType() instanceof ELProcessor and
4545
m.hasName(["eval", "getValue", "setValue"]) and
4646
ma.getArgument(0) = taintFrom
47+
or
48+
m.getDeclaringType() instanceof ELProcessor and
49+
m.hasName("setVariable") and
50+
ma.getArgument(1) = taintFrom
51+
or
52+
m.getDeclaringType() instanceof ELProcessor and
53+
m.hasName("defineFunction") and
54+
ma.getArgument([2, 3]) = taintFrom and
55+
taintFrom.getType() instanceof TypeString
4756
)
4857
}
4958
}

java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected

Lines changed: 26 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,20 @@ edges
55
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:44:24:44:33 | expression : String |
66
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:54:24:54:33 | expression : String |
77
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:61:24:61:33 | expression : String |
8-
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:70:24:70:33 | expression : String |
9-
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:79:24:79:33 | expression : String |
8+
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:68:24:68:28 | input : String |
9+
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:78:24:78:33 | expression : String |
10+
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:87:24:87:33 | expression : String |
11+
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:96:24:96:33 | expression : String |
1012
| JakartaExpressionInjection.java:30:24:30:33 | expression : String | JakartaExpressionInjection.java:32:28:32:37 | expression |
1113
| JakartaExpressionInjection.java:37:24:37:33 | expression : String | JakartaExpressionInjection.java:39:32:39:41 | expression |
1214
| JakartaExpressionInjection.java:44:24:44:33 | expression : String | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
1315
| JakartaExpressionInjection.java:54:24:54:33 | expression : String | JakartaExpressionInjection.java:56:32:56:41 | expression |
14-
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e |
15-
| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e |
16-
| JakartaExpressionInjection.java:79:24:79:33 | expression : String | JakartaExpressionInjection.java:83:13:83:13 | e |
16+
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:63:43:63:52 | expression |
17+
| JakartaExpressionInjection.java:68:24:68:28 | input : String | JakartaExpressionInjection.java:73:56:73:60 | clazz |
18+
| JakartaExpressionInjection.java:68:24:68:28 | input : String | JakartaExpressionInjection.java:73:63:73:68 | method |
19+
| JakartaExpressionInjection.java:78:24:78:33 | expression : String | JakartaExpressionInjection.java:82:13:82:13 | e |
20+
| JakartaExpressionInjection.java:87:24:87:33 | expression : String | JakartaExpressionInjection.java:91:13:91:13 | e |
21+
| JakartaExpressionInjection.java:96:24:96:33 | expression : String | JakartaExpressionInjection.java:100:13:100:13 | e |
1722
nodes
1823
| JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
1924
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | semmle.label | expression : String |
@@ -26,16 +31,24 @@ nodes
2631
| JakartaExpressionInjection.java:54:24:54:33 | expression : String | semmle.label | expression : String |
2732
| JakartaExpressionInjection.java:56:32:56:41 | expression | semmle.label | expression |
2833
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | semmle.label | expression : String |
29-
| JakartaExpressionInjection.java:65:13:65:13 | e | semmle.label | e |
30-
| JakartaExpressionInjection.java:70:24:70:33 | expression : String | semmle.label | expression : String |
31-
| JakartaExpressionInjection.java:74:13:74:13 | e | semmle.label | e |
32-
| JakartaExpressionInjection.java:79:24:79:33 | expression : String | semmle.label | expression : String |
33-
| JakartaExpressionInjection.java:83:13:83:13 | e | semmle.label | e |
34+
| JakartaExpressionInjection.java:63:43:63:52 | expression | semmle.label | expression |
35+
| JakartaExpressionInjection.java:68:24:68:28 | input : String | semmle.label | input : String |
36+
| JakartaExpressionInjection.java:73:56:73:60 | clazz | semmle.label | clazz |
37+
| JakartaExpressionInjection.java:73:63:73:68 | method | semmle.label | method |
38+
| JakartaExpressionInjection.java:78:24:78:33 | expression : String | semmle.label | expression : String |
39+
| JakartaExpressionInjection.java:82:13:82:13 | e | semmle.label | e |
40+
| JakartaExpressionInjection.java:87:24:87:33 | expression : String | semmle.label | expression : String |
41+
| JakartaExpressionInjection.java:91:13:91:13 | e | semmle.label | e |
42+
| JakartaExpressionInjection.java:96:24:96:33 | expression : String | semmle.label | expression : String |
43+
| JakartaExpressionInjection.java:100:13:100:13 | e | semmle.label | e |
3444
#select
3545
| JakartaExpressionInjection.java:32:28:32:37 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:32:28:32:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
3646
| JakartaExpressionInjection.java:39:32:39:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:39:32:39:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
3747
| JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
3848
| JakartaExpressionInjection.java:56:32:56:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:56:32:56:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
39-
| JakartaExpressionInjection.java:65:13:65:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:65:13:65:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
40-
| JakartaExpressionInjection.java:74:13:74:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:74:13:74:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
41-
| JakartaExpressionInjection.java:83:13:83:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:83:13:83:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
49+
| JakartaExpressionInjection.java:63:43:63:52 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:63:43:63:52 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
50+
| JakartaExpressionInjection.java:73:56:73:60 | clazz | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:73:56:73:60 | clazz | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
51+
| JakartaExpressionInjection.java:73:63:73:68 | method | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:73:63:73:68 | method | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
52+
| JakartaExpressionInjection.java:82:13:82:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:82:13:82:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
53+
| JakartaExpressionInjection.java:91:13:91:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:91:13:91:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
54+
| JakartaExpressionInjection.java:100:13:100:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:100:13:100:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,23 @@ private static void testWithELProcessorSetValue() throws IOException {
5757
});
5858
}
5959

60+
private static void testWithELProcessorSetVariable() throws IOException {
61+
testWithSocket(expression -> {
62+
ELProcessor processor = new ELProcessor();
63+
processor.setVariable("test", expression);
64+
});
65+
}
66+
67+
private static void testWithELProcessorDefineFunction() throws IOException {
68+
testWithSocket(input -> {
69+
ELProcessor processor = new ELProcessor();
70+
String[] parts = input.split(":");
71+
String clazz = parts[0];
72+
String method = parts[1];
73+
processor.defineFunction("prefix", "func", clazz, method);
74+
});
75+
}
76+
6077
private static void testWithJuelValueExpressionGetValue() throws IOException {
6178
testWithSocket(expression -> {
6279
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();

java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,6 @@ public class ELProcessor {
44
public Object eval(String expression) { return null; }
55
public Object getValue(String expression, Class<?> expectedType) { return null; }
66
public void setValue(String expression, Object value) {}
7+
public void setVariable(String var, String expression) {}
8+
public void defineFunction(String prefix, String function, String className, String method) {}
79
}

0 commit comments

Comments
 (0)