JPython code injection

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java

@@ -0,0 +1,48 @@
+public class JPythonInjection extends HttpServlet {
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+          interpreter = new PythonInterpreter();
+          interpreter.setOut(out);
+          interpreter.setErr(out);
+
+          // BAD: allow arbitrary JPython expression to execute
+          interpreter.exec(code);
+          out.flush();
+
+          response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+              interpreter.close();
+            }
+            out.close();
+        }
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+      response.setContentType("text/plain");
+      String code = request.getParameter("code");
+      PythonInterpreter interpreter = null;
+
+      try {
+        interpreter = new PythonInterpreter();
+        // BAD: allow arbitrary JPython expression to evaluate
+        PyObject py = interpreter.eval(code);
+
+        response.getWriter().print(py.toString());
+      } catch(PyException ex) {
+          response.getWriter().println(ex.getMessage());
+      } finally {
+          if (interpreter != null) {
+            interpreter.close();
+          }
+      }
+  }
+}
+

java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp

@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Python has been the most widely used programming language in recent years, and JPython
+  is a popular Java implementation of Python. It allows embedded Python scripting inside 
+  Java applications and provides an interactive interpreter that can be used to interact 
+  with Java packages or with running Java applications. If an expression is built using 
+  attacker-controlled data and then evaluated, it may allow the attacker to run arbitrary 
+  code.</p>
+</overview>
+
+<recommendation>
+<p>In general, including user input in JPython expression should be avoided. If user input 
+  must be included in an expression, it should be then evaluated in a safe context that 
+  doesn't allow arbitrary code invocation.</p>
+</recommendation>
+
+<example>
+<p>The following code could execute random code in JPython Interpreter</p>
+<sample src="JPythonInjection.java" />
+</example>
+
+<references>
+<li>
+  JPython Organization: <a href="https://jython.readthedocs.io/en/latest/JythonAndJavaIntegration/">JPython and Java Integration</a>
+</li>
+<li>
+  PortSwigger: <a href="https://portswigger.net/kb/issues/00100f10_python-code-injection">Python code injection</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql

@@ -0,0 +1,68 @@
+/**
+ * @name Injection in JPython
+ * @description Evaluation of a user-controlled malicious expression in JPython
+ *              may lead to remote code execution.
+ * @kind path-problem
+ * @id java/jpython-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/** The class `org.python.util.PythonInterpreter`. */
+class PythonInterpreter extends RefType {
+  PythonInterpreter() { this.hasQualifiedName("org.python.util", "PythonInterpreter") }
+}
+
+/** A method that evaluates, compiles or executes a JPython expression. */
+class InterpretExprMethod extends Method {
+  InterpretExprMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof PythonInterpreter and
+    (
+      hasName("exec") or
+      hasName("eval") or
+      hasName("compile")
+    )
+  }
+}
+
+/** Holds if a JPython expression if evaluated, compiled or executed. */
+predicate runCode(MethodAccess ma, Expr sink) {
+  exists(Method m | m = ma.getMethod() |
+    m instanceof InterpretExprMethod and
+    sink = ma.getArgument(0)
+  )
+}
+
+/** Sink of an expression interpreted by JPython interpreter. */
+class CodeInjectionSink extends DataFlow::ExprNode {
+  CodeInjectionSink() { runCode(_, this.getExpr()) }
+
+  MethodAccess getMethodAccess() { runCode(result, this.getExpr()) }
+}
+
+class CodeInjectionConfiguration extends TaintTracking::Configuration {
+  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source instanceof LocalUserInput
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // @RequestBody MyQueryObj query; interpreter.exec(query.getInterpreterCode());
+    exists(MethodAccess ma | ma.getQualifier() = node1.asExpr() and ma = node2.asExpr())
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, CodeInjectionConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode().(CodeInjectionSink).getMethodAccess(), source, sink, "JPython evaluate $@.",
+  source.getNode(), "user input"

java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.expected

@@ -0,0 +1,11 @@
+edges
+| JPythonInjection.java:22:23:22:50 | getParameter(...) : String | JPythonInjection.java:30:28:30:31 | code |
+| JPythonInjection.java:47:21:47:48 | getParameter(...) : String | JPythonInjection.java:52:40:52:43 | code |
+nodes
+| JPythonInjection.java:22:23:22:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JPythonInjection.java:30:28:30:31 | code | semmle.label | code |
+| JPythonInjection.java:47:21:47:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JPythonInjection.java:52:40:52:43 | code | semmle.label | code |
+#select
+| JPythonInjection.java:30:11:30:32 | exec(...) | JPythonInjection.java:22:23:22:50 | getParameter(...) : String | JPythonInjection.java:30:28:30:31 | code | JPython evaluate $@. | JPythonInjection.java:22:23:22:50 | getParameter(...) | user input |
+| JPythonInjection.java:52:23:52:44 | eval(...) | JPythonInjection.java:47:21:47:48 | getParameter(...) : String | JPythonInjection.java:52:40:52:43 | code | JPython evaluate $@. | JPythonInjection.java:47:21:47:48 | getParameter(...) | user input |

java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.java

@@ -0,0 +1,64 @@
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.python.core.PyObject;
+import org.python.core.PyException;
+import org.python.util.PythonInterpreter;
+
+public class JPythonInjection extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+       
+    public JPythonInjection() {
+        super();
+    }
+
+    // BAD: allow arbitrary JPython expression to execute
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+          interpreter = new PythonInterpreter();
+          interpreter.setOut(out);
+          interpreter.setErr(out);
+          interpreter.exec(code);
+          out.flush();
+
+          response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+              interpreter.close();
+            }
+            out.close();
+        }
+    }
+
+    // BAD: allow arbitrary JPython expression to evaluate
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+      response.setContentType("text/plain");
+      String code = request.getParameter("code");
+      PythonInterpreter interpreter = null;
+
+      try {
+        interpreter = new PythonInterpreter();
+        PyObject py = interpreter.eval(code);
+
+        response.getWriter().print(py.toString());
+      } catch(PyException ex) {
+          response.getWriter().println(ex.getMessage());
+      } finally {
+          if (interpreter != null) {
+            interpreter.close();
+          }
+      }
+  }
+}
+

java/ql/test/experimental/query-tests/security/CWE-094/JPythonInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/JPythonInjection.ql

java/ql/test/experimental/query-tests/security/CWE-094/options

@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jpython-2.7.2
 

java/ql/test/stubs/jpython-2.7.2/org/python/core/PyCode.java

@@ -0,0 +1,43 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+
+/**
+ * A super class for all python code implementations.
+ */
+public abstract class PyCode extends PyObject
+{
+    abstract public PyObject call(ThreadState state,
+                                  PyObject args[], String keywords[],
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject self, PyObject args[],
+                                  String keywords[],
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject arg1, PyObject globals,
+                                  PyObject[] defaults, PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject arg1, PyObject arg2,
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject arg1, PyObject arg2, PyObject arg3,
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+    abstract public PyObject call(ThreadState state,
+                                  PyObject arg1, PyObject arg2, PyObject arg3, PyObject arg4,
+                                  PyObject globals, PyObject[] defaults,
+                                  PyObject closure);
+
+}

java/ql/test/stubs/jpython-2.7.2/org/python/core/PyException.java

@@ -0,0 +1,12 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+import java.io.*;
+
+/**
+ * A wrapper for all python exception. Note that the well-known python exceptions are <b>not</b>
+ * subclasses of PyException. Instead the python exception class is stored in the <code>type</code>
+ * field and value or class instance is stored in the <code>value</code> field.
+ */
+public class PyException extends RuntimeException
+{
+}

java/ql/test/stubs/jpython-2.7.2/org/python/core/PyObject.java

@@ -0,0 +1,11 @@
+// Copyright (c) Corporation for National Research Initiatives
+package org.python.core;
+
+import java.io.Serializable;
+
+/**
+ * All objects known to the Jython runtime system are represented by an instance of the class
+ * {@code PyObject} or one of its subclasses.
+ */
+public class PyObject implements Serializable {
+}