Create a separate file for EJB check

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.java

@@ -0,0 +1,32 @@
+public class EJBMain implements SessionBean {
+    /**
+     * Create the session bean (empty implementation)
+     */
+    public void ejbCreate() throws javax.ejb.CreateException {
+        System.out.println("ServiceBean:ejbCreate()");
+    }
+
+    public void ejbActivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbPassivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbRemove() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void setSessionContext(SessionContext parm1) throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public String doService() {
+        return null;
+    }
+
+    // BAD - Implement a main method in session bean.
+    public static void main(String[] args) throws Exception {
+        ServiceBean b = new ServiceBean();
+        b.doService();
+    }
+
+    // GOOD - Not to have a main method in session bean.
+}

java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.qhelp

@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Debug code can create unintended entry points in a deployed Java EE web application therefore should never make into production. There is no reason to have a main method in a Java EE web application. Having a main method in the Java EE application increases the attack surface that an attacker can exploit to attack the application logic.</p>
+  </overview>
+
+  <recommendation>
+    <p>Remove the main method from enterprise beans.</p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows two ways of implementing enterprise beans. In the 'BAD' case, a main method is implemented. In the 'GOOD' case, no main method is implemented.</p>
+    <sample src="EJBMain.java" />
+  </example>
+
+  <references>
+    <li>
+      SonarSource:
+      <a href="https://rules.sonarsource.com/java/tag/owasp/RSPEC-2653">Web applications should not have a "main" method</a>
+    </li>
+    <li>
+      Carnegie Mellon University:
+      <a href="https://wiki.sei.cmu.edu/confluence/display/java/ENV06-J.+Production+code+must+not+contain+debugging+entry+points">ENV06-J. Production code must not contain debugging entry points</a>
+    </li>
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-489/ServletMain.java renamed to java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.java

@@ -1,4 +1,4 @@
-public class ServletMain implements Servlet {
+public class WebComponentMain implements Servlet {
 	// BAD - Implement a main method in servlet.
 	public static void main(String[] args) throws Exception {
 		// Connect to my server

java/ql/src/experimental/Security/CWE/CWE-489/ServletMain.qhelp renamed to java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.qhelp

@@ -6,12 +6,12 @@
   </overview>
 
   <recommendation>
-    <p>Remove the main method from web components including servlets, filters, and listeners, as well as enterprise beans.</p>
+    <p>Remove the main method from web components including servlets, filters, and listeners.</p>
   </recommendation>
 
   <example>
     <p>The following example shows two ways of implementing web components. In the 'BAD' case, a main method is implemented. In the 'GOOD' case, no main method is implemented.</p>
-    <sample src="ServletMain.java" />
+    <sample src="WebComponentMain.java" />
   </example>
 
   <references>