Merge pull request github#5802 from luchua-bc/java/rhino-injection

Java: CWE-094 Rhino code injection

Author: smowton

java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java

@@ -0,0 +1,40 @@
+import org.mozilla.javascript.ClassShutter;
+import org.mozilla.javascript.Context;
+import org.mozilla.javascript.Scriptable;
+
+public class RhinoInjection extends HttpServlet {
+
+  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+    response.setContentType("text/plain");
+    String code = request.getParameter("code");
+    Context ctx = Context.enter();
+    try {
+      {
+        // BAD: allow arbitrary Java and JavaScript code to be executed
+        Scriptable scope = ctx.initStandardObjects();
+      }
+
+      {
+        // GOOD: enable the safe mode
+        Scriptable scope = ctx.initSafeStandardObjects();
+      }
+
+      {
+        // GOOD: enforce a constraint on allowed classes
+        Scriptable scope = ctx.initStandardObjects();
+        ctx.setClassShutter(new ClassShutter() {
+            public boolean visibleToScripts(String className) {
+              return className.startsWith("com.example.");
+            }
+        });
+      }
+
+      Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
+      response.getWriter().print(Context.toString(result));
+    } catch(RhinoException ex) {
+      response.getWriter().println(ex.getMessage());
+    } finally {
+      Context.exit();
+    }
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.qhelp

@@ -0,0 +1,52 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>The Java Scripting API has been available since the release of Java 6. It allows
+  applications to interact with scripts written in languages such as JavaScript. It serves
+  as an embedded scripting engine inside Java applications which allows Java-to-JavaScript
+  interoperability and provides a seamless integration between the two languages. If an 
+  expression is built using attacker-controlled data, and then evaluated in a powerful 
+  context, it may allow the attacker to run arbitrary code.</p>
+</overview>
+
+<recommendation>
+<p>In general, including user input in a Java Script Engine expression should be avoided.
+  If user input must be included in the expression, it should be then evaluated in a safe
+  context that doesn't allow arbitrary code invocation. Use "Cloudbees Rhino Sandbox" or
+  sandboxing with SecurityManager, which will be deprecated in a future release, or use
+  <a href="https://www.graalvm.org/">GraalVM</a> instead.</p>
+</recommendation>
+
+<example>
+<p>The following code could execute user-supplied JavaScript code in <code>ScriptEngine</code></p>
+<sample src="ScriptEngine.java" />
+<sample src="NashornScriptEngine.java" />
+
+<p>The following example shows two ways of using Rhino expression. In the 'BAD' case,
+  an unsafe context is initialized with <code>initStandardObjects</code> that allows arbitrary
+  Java code to be executed. In the 'GOOD' case, a safe context is initialized with 
+  <code>initSafeStandardObjects</code> or <code>setClassShutter</code>.</p>
+  <sample src="RhinoInjection.java" />
+</example>
+
+<references>
+<li>
+CERT coding standard: <a href="https://wiki.sei.cmu.edu/confluence/display/java/IDS52-J.+Prevent+code+injection">ScriptEngine code injection</a>
+</li>
+<li>
+GraalVM: <a href="https://www.graalvm.org/reference-manual/js/NashornMigrationGuide/#secure-by-default">Secure by Default</a>
+</li>
+<li>
+  Mozilla Rhino: <a href="https://github.com/mozilla/rhino">Rhino: JavaScript in Java</a>
+</li>
+<li>
+  Rhino Sandbox: <a href="https://github.com/javadelight/delight-rhino-sandbox">A sandbox to execute JavaScript code with Rhino in Java</a>
+</li>
+<li>
+  GuardRails: <a href="https://docs.guardrails.io/docs/en/vulnerabilities/java/insecure_use_of_dangerous_function#code-injection">Code Injection</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.ql

@@ -0,0 +1,146 @@
+/**
+ * @name Injection in Java Script Engine
+ * @description Evaluation of user-controlled data using the Java Script Engine may
+ *              lead to remote code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/unsafe-eval
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/** A method of ScriptEngine that allows code injection. */
+class ScriptEngineMethod extends Method {
+  ScriptEngineMethod() {
+    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngine") and
+    this.hasName("eval")
+    or
+    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "Compilable") and
+    this.hasName("compile")
+    or
+    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngineFactory") and
+    this.hasName(["getProgram", "getMethodCallSyntax"])
+  }
+}
+
+/** The context class `org.mozilla.javascript.Context` of Rhino Java Script Engine. */
+class RhinoContext extends RefType {
+  RhinoContext() { this.hasQualifiedName("org.mozilla.javascript", "Context") }
+}
+
+/** A method that evaluates a Rhino expression with `org.mozilla.javascript.Context`. */
+class RhinoEvaluateExpressionMethod extends Method {
+  RhinoEvaluateExpressionMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof RhinoContext and
+    this.hasName([
+        "evaluateString", "evaluateReader", "compileFunction", "compileReader", "compileString"
+      ])
+  }
+}
+
+/**
+ * A method that compiles a Rhino expression with
+ * `org.mozilla.javascript.optimizer.ClassCompiler`.
+ */
+class RhinoCompileClassMethod extends Method {
+  RhinoCompileClassMethod() {
+    this.getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName("org.mozilla.javascript.optimizer", "ClassCompiler") and
+    this.hasName("compileToClassFiles")
+  }
+}
+
+/**
+ * A method that defines a Java class from a Rhino expression with
+ * `org.mozilla.javascript.GeneratedClassLoader`.
+ */
+class RhinoDefineClassMethod extends Method {
+  RhinoDefineClassMethod() {
+    this.getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName("org.mozilla.javascript", "GeneratedClassLoader") and
+    this.hasName("defineClass")
+  }
+}
+
+/**
+ * Holds if `ma` is a call to a `ScriptEngineMethod` and `sink` is an argument that
+ * will be executed.
+ */
+predicate isScriptArgument(MethodAccess ma, Expr sink) {
+  exists(ScriptEngineMethod m |
+    m = ma.getMethod() and
+    if m.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngineFactory")
+    then sink = ma.getArgument(_) // all arguments allow script injection
+    else sink = ma.getArgument(0)
+  )
+}
+
+/**
+ * Holds if a Rhino expression evaluation method is vulnerable to code injection.
+ */
+predicate evaluatesRhinoExpression(MethodAccess ma, Expr sink) {
+  exists(RhinoEvaluateExpressionMethod m | m = ma.getMethod() |
+    (
+      if ma.getMethod().getName() = "compileReader"
+      then sink = ma.getArgument(0) // The first argument is the input reader
+      else sink = ma.getArgument(1) // The second argument is the JavaScript or Java input
+    ) and
+    not exists(MethodAccess ca |
+      ca.getMethod().hasName(["initSafeStandardObjects", "setClassShutter"]) and // safe mode or `ClassShutter` constraint is enforced
+      ma.getQualifier() = ca.getQualifier().(VarAccess).getVariable().getAnAccess()
+    )
+  )
+}
+
+/**
+ * Holds if a Rhino expression compilation method is vulnerable to code injection.
+ */
+predicate compilesScript(MethodAccess ma, Expr sink) {
+  exists(RhinoCompileClassMethod m | m = ma.getMethod() | sink = ma.getArgument(0))
+}
+
+/**
+ * Holds if a Rhino class loading method is vulnerable to code injection.
+ */
+predicate definesRhinoClass(MethodAccess ma, Expr sink) {
+  exists(RhinoDefineClassMethod m | m = ma.getMethod() | sink = ma.getArgument(1))
+}
+
+/** A script injection sink. */
+class ScriptInjectionSink extends DataFlow::ExprNode {
+  MethodAccess methodAccess;
+
+  ScriptInjectionSink() {
+    isScriptArgument(methodAccess, this.getExpr()) or
+    evaluatesRhinoExpression(methodAccess, this.getExpr()) or
+    compilesScript(methodAccess, this.getExpr()) or
+    definesRhinoClass(methodAccess, this.getExpr())
+  }
+
+  /** An access to the method associated with this sink. */
+  MethodAccess getMethodAccess() { result = methodAccess }
+}
+
+/**
+ * A taint tracking configuration that tracks flow from `RemoteFlowSource` to an argument
+ * of a method call that executes injected script.
+ */
+class ScriptInjectionConfiguration extends TaintTracking::Configuration {
+  ScriptInjectionConfiguration() { this = "ScriptInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof ScriptInjectionSink }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, ScriptInjectionConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode().(ScriptInjectionSink).getMethodAccess(), source, sink,
+  "Java Script Engine evaluate $@.", source.getNode(), "user input"