Merge pull request #5102 from luchua-bc/java/main-method-in-servlet

Java: CWE-489 Query to detect main() method in servlets

Author: tamasvajk

java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.java

@@ -0,0 +1,32 @@
+public class EJBMain implements SessionBean {
+    /**
+     * Create the session bean (empty implementation)
+     */
+    public void ejbCreate() throws javax.ejb.CreateException {
+        System.out.println("EJBMain:ejbCreate()");
+    }
+
+    public void ejbActivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbPassivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbRemove() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void setSessionContext(SessionContext parm1) throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public String doService() {
+        return null;
+    }
+
+    // BAD - Implement a main method in session bean.
+    public static void main(String[] args) throws Exception {
+        EJBMain b = new EJBMain();
+        b.doService();
+    }
+
+    // GOOD - Not to have a main method in session bean.
+}

java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.qhelp

@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Debug code can create unintended entry points in a deployed Java EE web application therefore should never make into production. There is no reason to have a main method in a Java EE web application. Having a main method in the Java EE application increases the attack surface that an attacker can exploit to attack the application logic.</p>
+  </overview>
+
+  <recommendation>
+    <p>Remove the main method from enterprise beans.</p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows two ways of implementing enterprise beans. In the 'BAD' case, a main method is implemented. In the 'GOOD' case, no main method is implemented.</p>
+    <sample src="EJBMain.java" />
+  </example>
+
+  <references>
+    <li>
+      SonarSource:
+      <a href="https://rules.sonarsource.com/java/tag/owasp/RSPEC-2653">Web applications should not have a "main" method</a>
+    </li>
+    <li>
+      Carnegie Mellon University:
+      <a href="https://wiki.sei.cmu.edu/confluence/display/java/ENV06-J.+Production+code+must+not+contain+debugging+entry+points">ENV06-J. Production code must not contain debugging entry points</a>
+    </li>
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Main Method in Enterprise Java Bean
+ * @description Java EE applications with a main method.
+ * @kind problem
+ * @id java/main-method-in-enterprise-bean
+ * @tags security
+ *       external/cwe-489
+ */
+
+import java
+import semmle.code.java.J2EE
+import MainLib
+
+/** The `main` method in an Enterprise Java Bean. */
+class EnterpriseBeanMainMethod extends Method {
+  EnterpriseBeanMainMethod() {
+    this.getDeclaringType() instanceof EnterpriseBean and
+    isMainMethod(this) and
+    not isTestMethod(this)
+  }
+}
+
+from EnterpriseBeanMainMethod sm
+select sm, "Java EE application has a main method."

java/ql/src/experimental/Security/CWE/CWE-489/MainLib.qll

@@ -0,0 +1,27 @@
+/** Definitions related to the main method in a test program. */
+
+import java
+
+/** Holds if `m` is the main method of a Java class with the signature `public static void main(String[] args)`. */
+predicate isMainMethod(Method m) {
+  m.hasName("main") and
+  m.isStatic() and
+  m.getReturnType() instanceof VoidType and
+  m.isPublic() and
+  m.getNumberOfParameters() = 1 and
+  m.getParameter(0).getType() instanceof Array
+}
+
+/**
+ * Holds if `m` is a test method indicated by:
+ *    a) in a test directory such as `src/test/java`
+ *    b) in a test package whose name has the word `test`
+ *    c) in a test class whose name has the word `test`
+ *    d) in a test class implementing a test framework such as JUnit or TestNG
+ */
+predicate isTestMethod(Method m) {
+  m.getDeclaringType().getName().toLowerCase().matches("%test%") or // Simple check to exclude test classes to reduce FPs
+  m.getDeclaringType().getPackage().getName().toLowerCase().matches("%test%") or // Simple check to exclude classes in test packages to reduce FPs
+  exists(m.getLocation().getFile().getAbsolutePath().indexOf("/src/test/java")) or //  Match test directory structure of build tools like maven
+  m instanceof TestMethod // Test method of a test case implementing a test framework such as JUnit or TestNG
+}

java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.java

@@ -0,0 +1,10 @@
+public class WebComponentMain implements Servlet {
+	// BAD - Implement a main method in servlet.
+	public static void main(String[] args) throws Exception {
+		// Connect to my server
+		URL url = new URL("https://www.example.com");
+		url.openConnection();
+	}
+
+	// GOOD - Not to have a main method in servlet.
+}

java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Debug code can create unintended entry points in a deployed Java EE web application therefore should never make into production. There is no reason to have a main method in a Java EE web application. Having a main method in the Java EE application increases the attack surface that an attacker can exploit to attack the application logic.</p>
+  </overview>
+
+  <recommendation>
+    <p>Remove the main method from web components including servlets, filters, and listeners.</p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows two ways of implementing web components. In the 'BAD' case, a main method is implemented. In the 'GOOD' case, no main method is implemented.</p>
+    <sample src="WebComponentMain.java" />
+  </example>
+
+  <references>
+    <li>
+      Fortify:
+      <a href="https://vulncat.fortify.com/en/detail?id=desc.structural.java.j2ee_badpractices_leftover_debug_code">J2EE Bad Practices: Leftover Debug Code</a>
+    </li>
+    <li>
+      SonarSource:
+      <a href="https://rules.sonarsource.com/java/tag/owasp/RSPEC-2653">Web applications should not have a "main" method</a>
+    </li>
+    <li>
+      Carnegie Mellon University:
+      <a href="https://wiki.sei.cmu.edu/confluence/display/java/ENV06-J.+Production+code+must+not+contain+debugging+entry+points">ENV06-J. Production code must not contain debugging entry points</a>
+    </li>
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql

@@ -0,0 +1,57 @@
+/**
+ * @name Main Method in Java EE Web Components
+ * @description Java EE web applications with a main method.
+ * @kind problem
+ * @id java/main-method-in-web-components
+ * @tags security
+ *       external/cwe-489
+ */
+
+import java
+import semmle.code.java.frameworks.Servlets
+import MainLib
+
+/** The java type `javax.servlet.Filter`. */
+class ServletFilterClass extends Class {
+  ServletFilterClass() { this.getASupertype*().hasQualifiedName("javax.servlet", "Filter") }
+}
+
+/** Listener class in the package `javax.servlet` and `javax.servlet.http` */
+class ServletListenerClass extends Class {
+  // Various listener classes of Java EE such as ServletContextListener. They all have a name ending with the word "Listener".
+  ServletListenerClass() {
+    this.getASupertype*()
+        .getQualifiedName()
+        .regexpMatch([
+            "javax\\.servlet\\.[a-zA-Z]+Listener", "javax\\.servlet\\.http\\.[a-zA-Z]+Listener"
+          ])
+  }
+}
+
+/** The `main` method in `Servlet` and `Action` of the Spring and Struts framework. */
+class WebComponentMainMethod extends Method {
+  WebComponentMainMethod() {
+    (
+      this.getDeclaringType() instanceof ServletClass or
+      this.getDeclaringType() instanceof ServletFilterClass or
+      this.getDeclaringType() instanceof ServletListenerClass or
+      this.getDeclaringType()
+          .getASupertype*()
+          .hasQualifiedName("org.apache.struts.action", "Action") or // Struts actions
+      this.getDeclaringType()
+          .getASupertype+()
+          .hasQualifiedName("com.opensymphony.xwork2", "ActionSupport") or // Struts 2 actions
+      this.getDeclaringType()
+          .getASupertype+()
+          .hasQualifiedName("org.springframework.web.struts", "ActionSupport") or // Spring/Struts 2 actions
+      this.getDeclaringType()
+          .getASupertype+()
+          .hasQualifiedName("org.springframework.webflow.execution", "Action") // Spring actions
+    ) and
+    isMainMethod(this) and
+    not isTestMethod(this)
+  }
+}
+
+from WebComponentMainMethod sm
+select sm, "Web application has a main method."

java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.expected

@@ -0,0 +1 @@
+| ServiceBean.java:55:24:55:27 | main | Java EE application has a main method. |

java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.java

@@ -0,0 +1,59 @@
+import javax.ejb.SessionBean;
+import javax.ejb.EJBException;
+import java.rmi.RemoteException;
+import javax.ejb.SessionContext;
+import javax.naming.Context;
+import javax.naming.InitialContext;
+
+public class ServiceBean implements SessionBean {
+
+    protected SessionContext ctx;
+
+    private String _serviceName;
+
+    /**
+     * Create the session bean (empty implementation)
+     */
+    public void ejbCreate() throws javax.ejb.CreateException {
+        System.out.println("ServiceBean:ejbCreate()");
+    }
+
+    public void ejbActivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbPassivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbRemove() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void setSessionContext(SessionContext parm1) throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    /**
+     * Get service name
+     * @return service name
+     */
+    public String getServiceName() {
+        return _serviceName;
+    }
+
+    /**
+     * Set service name
+     * @param serviceName the service name
+     */
+    public void setServiceName(String serviceName) {
+        _serviceName = serviceName;
+    }
+
+    /** Do service (no implementation) */
+    public String doService() {
+        return null;
+    }
+
+    /** Local unit testing code */
+    public static void main(String[] args) throws Exception {
+        ServiceBean b = new ServiceBean();
+        b.doService();
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-489/EJBMain.ql