Covered sandboxes for JEXL 2

- Updated SandboxedJexlFlowConfig to cover JEXL 2
- Added SandboxedJexl2 test

Author: artem-smotrakov

java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll

@@ -109,14 +109,7 @@ private predicate isUnsafeEngine(Expr expr) {
 private class SandboxedJexlFlowConfig extends DataFlow2::Configuration {
   SandboxedJexlFlowConfig() { this = "JexlInjection::SandboxedJexlFlowConfig" }
 
-  override predicate isSource(DataFlow::Node node) {
-    exists(MethodAccess ma, Method m | m = ma.getMethod() |
-      m.getDeclaringType() instanceof JexlBuilder and
-      m.hasName(["uberspect", "sandbox"]) and
-      m.getReturnType() instanceof JexlBuilder and
-      (ma = node.asExpr() or ma.getQualifier() = node.asExpr())
-    )
-  }
+  override predicate isSource(DataFlow::Node node) { node instanceof SandboxedJexlSource }
 
   override predicate isSink(DataFlow::Node node) {
     node.asExpr().getType() instanceof JexlEngine or
@@ -129,6 +122,26 @@ private class SandboxedJexlFlowConfig extends DataFlow2::Configuration {
   }
 }
 
+/**
+ * Defines a data flow source for Jexl engines configured with a sandbox.
+ */
+private class SandboxedJexlSource extends DataFlow::ExprNode {
+  SandboxedJexlSource() {
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
+      m.getDeclaringType() instanceof JexlBuilder and
+      m.hasName(["uberspect", "sandbox"]) and
+      m.getReturnType() instanceof JexlBuilder and
+      (ma = this.asExpr() or ma.getQualifier() = this.asExpr())
+    )
+    or
+    exists(ConstructorCall cc |
+      cc.getConstructedType() instanceof JexlEngine and
+      cc.getArgument(0).getType() instanceof JexlUberspect and
+      cc = this.asExpr()
+    )
+  }
+}
+
 /**
  * Holds if `fromNode` to `toNode` is a dataflow step that creates one of the Jexl engines.
  */
@@ -139,6 +152,12 @@ private predicate createsJexlEngine(DataFlow::Node fromNode, DataFlow::Node toNo
     ma.getQualifier() = fromNode.asExpr() and
     ma = toNode.asExpr()
   )
+  or
+  exists(ConstructorCall cc |
+    cc.getConstructedType() instanceof UnifiedJexl and
+    cc.getArgument(0) = fromNode.asExpr() and
+    cc = toNode.asExpr()
+  )
 }
 
 /**
@@ -249,6 +268,13 @@ private class UnifiedJexl extends JexlRefType {
   UnifiedJexl() { hasName("UnifiedJEXL") }
 }
 
+private class JexlUberspect extends Interface {
+  JexlUberspect() {
+    hasQualifiedName("org.apache.commons.jexl2.introspection", "Uberspect") or
+    hasQualifiedName("org.apache.commons.jexl3.introspection", "JexlUberspect")
+  }
+}
+
 private class JxltEngineExpression extends NestedType {
   JxltEngineExpression() { getEnclosingType() instanceof JxltEngine and hasName("Expression") }
 }

java/ql/test/experimental/query-tests/security/CWE-094/SandboxedJexl2.java

@@ -0,0 +1,47 @@
+import org.apache.commons.jexl2.*;
+import org.apache.commons.jexl2.introspection.*;
+
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.util.function.Consumer;
+
+public class SandboxedJexl2 {
+    
+    private static void runJexlExpressionWithSandbox(String jexlExpr) {
+        Sandbox sandbox = new Sandbox();
+        sandbox.white(SandboxedJexl2.class.getCanonicalName());
+        Uberspect uberspect = new SandboxUberspectImpl(null, sandbox);
+        JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
+        Expression e = jexl.createExpression(jexlExpr);
+        JexlContext jc = new MapContext();
+        e.evaluate(jc);
+    }
+
+    private static void runJexlExpressionViaSandboxedUnifiedJexl(String jexlExpr) {
+        Sandbox sandbox = new Sandbox();
+        sandbox.white(SandboxedJexl2.class.getCanonicalName());
+        Uberspect uberspect = new SandboxUberspectImpl(null, sandbox);
+        JexlEngine jexl = new JexlEngine(uberspect, null, null, null);
+        UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl);
+        unifiedJEXL.parse(jexlExpr).evaluate(new MapContext());
+    }
+
+    private static void simpleServer(Consumer<String> action) throws Exception {
+        try (ServerSocket serverSocket = new ServerSocket(0)) {
+            try (Socket socket = serverSocket.accept()) {
+                byte[] bytes = new byte[1024];
+                int n = socket.getInputStream().read(bytes);
+                String jexlExpr = new String(bytes, 0, n);
+                action.accept(jexlExpr);
+            }
+        }
+    }
+
+    public static void saferJexlExpressionEvaluate() throws Exception {
+        simpleServer(SandboxedJexl2::runJexlExpressionWithSandbox);
+    }
+
+    public static void saferJexlExpressionEvaluateViaUnifiedJexl() throws Exception {
+        simpleServer(SandboxedJexl2::runJexlExpressionViaSandboxedUnifiedJexl);
+    }
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/JexlEngine.java

@@ -1,7 +1,14 @@
 package org.apache.commons.jexl2;
 
+import java.util.Map;
+import org.apache.commons.jexl2.introspection.*;
+
 public class JexlEngine {
 
+    public JexlEngine() {}
+
+    public JexlEngine(Uberspect uberspect, Object arithmetic, Map<String, Object> functions, Object log) {}
+
     public Expression createExpression(String expression) {
         return null;
     }

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/introspection/Sandbox.java

@@ -0,0 +1,10 @@
+package org.apache.commons.jexl2.introspection;
+
+public class Sandbox {
+    
+    public Permissions white(String clazz) {
+        return null;
+    }
+
+    public static class Permissions {}
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/introspection/SandboxUberspectImpl.java

@@ -0,0 +1,6 @@
+package org.apache.commons.jexl2.introspection;
+
+public class SandboxUberspectImpl implements Uberspect {
+
+    public SandboxUberspectImpl(Object log, Sandbox sandbox) {}
+}

java/ql/test/stubs/apache-commons-jexl-2.1.1/org/apache/commons/jexl2/introspection/Uberspect.java

@@ -0,0 +1,3 @@
+package org.apache.commons.jexl2.introspection;
+
+public interface Uberspect {}