feat: add jexl expression guidance hook

Author: florianGla

MODULE.bazel

@@ -85,6 +85,7 @@ TEST_MAVEN_ARTIFACTS = [
     "jakarta.validation:jakarta.validation-api:3.0.2",
     "javax.persistence:javax.persistence-api:2.2",
     "junit:junit:4.13.2",
+    "org.apache.commons:commons-jexl:2.1.1",
     "org.assertj:assertj-core:3.27.6",
     "org.jacoco:org.jacoco.core:0.8.14",
     "org.mockito:mockito-core:5.20.0",

maven_install.json

@@ -1,7 +1,7 @@
 {
   "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL",
-  "__INPUT_ARTIFACTS_HASH": 910747468,
-  "__RESOLVED_ARTIFACTS_HASH": 1315640420,
+  "__INPUT_ARTIFACTS_HASH": -1638807165,
+  "__RESOLVED_ARTIFACTS_HASH": -1440417829,
   "conflict_resolution": {
     "com.google.code.gson:gson:2.8.6": "com.google.code.gson:gson:2.8.9",
     "com.google.j2objc:j2objc-annotations:2.8": "com.google.j2objc:j2objc-annotations:3.1",
@@ -166,9 +166,9 @@
     },
     "commons-logging:commons-logging": {
       "shasums": {
-        "jar": "e94af49749384c11f5aa50e8d0f5fe679be771295b52030338d32843c980351e"
+        "jar": "ce6f913cad1f0db3aad70186d65c5bc7ffcc9a99e3fe8e0b137312819f7c362f"
       },
-      "version": "1.0.4"
+      "version": "1.1.1"
     },
     "io.github.classgraph:classgraph": {
       "shasums": {
@@ -266,6 +266,12 @@
       },
       "version": "1.0-alpha2"
     },
+    "org.apache.commons:commons-jexl": {
+      "shasums": {
+        "jar": "03c9a9fae5da78ce52c0bf24467cc37355b7e23196dff4839e2c0ff018a01306"
+      },
+      "version": "2.1.1"
+    },
     "org.apache.commons:commons-lang3": {
       "shasums": {
         "jar": "4ee380259c068d1dbe9e84ab52186f2acd65de067ec09beff731fca1697fdb16"
@@ -733,6 +739,9 @@
     "junit:junit": [
       "org.hamcrest:hamcrest-core"
     ],
+    "org.apache.commons:commons-jexl": [
+      "commons-logging:commons-logging"
+    ],
     "org.apache.commons:commons-text": [
       "org.apache.commons:commons-lang3"
     ],
@@ -1478,6 +1487,14 @@
       "org.apache.commons.imaging.internal",
       "org.apache.commons.imaging.palette"
     ],
+    "org.apache.commons:commons-jexl": [
+      "org.apache.commons.jexl2",
+      "org.apache.commons.jexl2.internal",
+      "org.apache.commons.jexl2.internal.introspection",
+      "org.apache.commons.jexl2.introspection",
+      "org.apache.commons.jexl2.parser",
+      "org.apache.commons.jexl2.scripting"
+    ],
     "org.apache.commons:commons-lang3": [
       "org.apache.commons.lang3",
       "org.apache.commons.lang3.arch",
@@ -2722,6 +2739,7 @@
       "net.jodah:typetools",
       "net.sf.jopt-simple:jopt-simple",
       "org.apache.commons:commons-imaging",
+      "org.apache.commons:commons-jexl",
       "org.apache.commons:commons-lang3",
       "org.apache.commons:commons-math3",
       "org.apache.commons:commons-text",
@@ -2831,6 +2849,11 @@
         "reactor.core.scheduler.ReactorBlockHoundIntegration"
       ]
     },
+    "org.apache.commons:commons-jexl": {
+      "javax.script.ScriptEngineFactory": [
+        "org.apache.commons.jexl2.scripting.JexlScriptEngineFactory"
+      ]
+    },
     "org.apache.logging.log4j:log4j-api": {
       "org.apache.logging.log4j.util.PropertySource": [
         "org.apache.logging.log4j.util.EnvironmentPropertySource",

sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt

@@ -33,7 +33,7 @@ object ExpressionLanguageInjection {
     private const val EXPRESSION_LANGUAGE_ATTACK =
         "\${Byte.class.forName(\"$HONEYPOT_CLASS_NAME\").getMethod(\"el\").invoke(null)}"
     private const val SPRING_EXPRESSION_LANGUAGE_ATTACK = "T($HONEYPOT_CLASS_NAME).el()"
-    private const val ELPROCESSOR_LANGUAGE_ATTACK =
+    private const val ELPROCESSOR_JEXL_LANGUAGE_ATTACK =
         "\"\".getClass().forName(\"$HONEYPOT_CLASS_NAME\").getMethod(\"el\").invoke(null)"
 
     init {
@@ -43,7 +43,7 @@ object ExpressionLanguageInjection {
         require(SPRING_EXPRESSION_LANGUAGE_ATTACK.length <= 64) {
             "Expression language exploit must fit in a table of recent compares entry (64 bytes)"
         }
-        require(ELPROCESSOR_LANGUAGE_ATTACK.length <= 64) {
+        require(ELPROCESSOR_JEXL_LANGUAGE_ATTACK.length <= 64) {
             "Expression language exploit must fit in a table of recent compares entry (64 bytes)"
         }
     }
@@ -108,7 +108,7 @@ object ExpressionLanguageInjection {
             return
         }
         val message = arguments[0] as String
-        Jazzer.guideTowardsContainment(message, ELPROCESSOR_LANGUAGE_ATTACK, hookId)
+        Jazzer.guideTowardsContainment(message, ELPROCESSOR_JEXL_LANGUAGE_ATTACK, hookId)
     }
 
     // With default configurations the argument to
@@ -171,4 +171,26 @@ object ExpressionLanguageInjection {
         val expr = arguments[0] as? String ?: return
         Jazzer.guideTowardsContainment(expr, SPRING_EXPRESSION_LANGUAGE_ATTACK, hookId)
     }
+
+    /**
+     * Guides JEXL expression parsing towards payloads that execute RCE. Note that `parse` is
+     * triggered by vulnerable public methods.
+     */
+    @MethodHook(
+        type = HookType.BEFORE,
+        targetClassName = "org.apache.commons.jexl2.JexlEngine",
+        targetMethod = "parse",
+        additionalClassesToHook = ["org.apache.commons.jexl2.JexlEngine"],
+    )
+    @JvmStatic
+    fun hookJexlParse(
+        method: MethodHandle?,
+        thisObject: Any?,
+        arguments: Array<Any>,
+        hookId: Int,
+    ) {
+        if (arguments.isEmpty()) return
+        val expr = arguments[0] as? CharSequence ?: return
+        Jazzer.guideTowardsContainment(expr.toString(), ELPROCESSOR_JEXL_LANGUAGE_ATTACK, hookId)
+    }
 }

sanitizers/src/test/java/com/code_intelligence/jazzer/sanitizers/BUILD.bazel

@@ -24,6 +24,7 @@ java_junit5_test(
         "@maven//:javax_el_javax_el_api",
         "@maven//:javax_persistence_javax_persistence_api",
         "@maven//:javax_validation_validation_api",
+        "@maven//:org_apache_commons_commons_jexl",
         "@maven//:org_junit_jupiter_junit_jupiter_api",
         "@maven//:org_junit_jupiter_junit_jupiter_params",
         "@maven//:org_springframework_cloud_spring_cloud_function_context",

sanitizers/src/test/java/com/example/BUILD.bazel

@@ -64,11 +64,13 @@ java_fuzz_target_test(
         "//sanitizers/src/test/java/com/example/el:ExpressionLanguageExample",
         "@maven//:javax_el_javax_el_api",
         "@maven//:javax_validation_validation_api",
+        "@maven//:org_apache_commons_commons_jexl",
         "@maven//:org_junit_jupiter_junit_jupiter_api",
     ],
 ) for method in [
     "fuzzValidator",
     "fuzzEval",
+    "fuzzJexlExpression",
 ]]
 
 java_fuzz_target_test(

sanitizers/src/test/java/com/example/ExpressionLanguageInjection.java

@@ -25,6 +25,11 @@
 import javax.el.ELProcessor;
 import javax.validation.Validation;
 import javax.validation.Validator;
+import org.apache.commons.jexl2.Expression;
+import org.apache.commons.jexl2.JexlContext;
+import org.apache.commons.jexl2.JexlEngine;
+import org.apache.commons.jexl2.JexlException;
+import org.apache.commons.jexl2.MapContext;
 import org.junit.jupiter.api.BeforeEach;
 
 public class ExpressionLanguageInjection {
@@ -53,4 +58,16 @@ void fuzzEval(@NotNull String data) {
         | ArithmeticException ignored) {
     }
   }
+
+  @FuzzTest
+  void fuzzJexlExpression(@NotNull String data) {
+    JexlEngine jexl = new JexlEngine();
+    JexlContext context = new MapContext();
+
+    try {
+      Expression expr = jexl.createExpression(data);
+      expr.evaluate(context);
+    } catch (JexlException | StringIndexOutOfBoundsException ignored) {
+    }
+  }
 }