Add more methods and update the library name

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.java

@@ -0,0 +1,47 @@
+public class JythonInjection extends HttpServlet {
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+
+        try {
+            interpreter = new PythonInterpreter();
+            interpreter.setOut(out);
+            interpreter.setErr(out);
+
+            // BAD: allow arbitrary Jython expression to execute
+            interpreter.exec(code);
+            out.flush();
+
+            response.getWriter().print(out.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+                interpreter.close();
+            }
+            out.close();
+        }
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        PythonInterpreter interpreter = null;
+
+        try {
+            interpreter = new PythonInterpreter();
+            // BAD: allow arbitrary Jython expression to evaluate
+            PyObject py = interpreter.eval(code);
+
+            response.getWriter().print(py.toString());
+        } catch(PyException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            if (interpreter != null) {
+                interpreter.close();
+            }
+        }
+    }
+}

java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.qhelp

@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Python has been the most widely used programming language in recent years, and Jython
+  (formerly known as JPython) is a popular Java implementation of Python. It allows 
+  embedded Python scripting inside Java applications and provides an interactive interpreter
+  that can be used to interact with Java packages or with running Java applications. If an 
+  expression is built using attacker-controlled data and then evaluated, it may allow the 
+  attacker to run arbitrary code.</p>
+</overview>
+
+<recommendation>
+<p>In general, including user input in Jython expression should be avoided. If user input 
+  must be included in an expression, it should be then evaluated in a safe context that 
+  doesn't allow arbitrary code invocation.</p>
+</recommendation>
+
+<example>
+<p>The following code could execute arbitrary code in Jython Interpreter</p>
+<sample src="JythonInjection.java" />
+</example>
+
+<references>
+<li>
+  Jython Organization: <a href="https://jython.readthedocs.io/en/latest/JythonAndJavaIntegration/">Jython and Java Integration</a>
+</li>
+<li>
+  PortSwigger: <a href="https://portswigger.net/kb/issues/00100f10_python-code-injection">Python code injection</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-094/JPythonInjection.ql

@@ -0,0 +1,123 @@
+/**
+ * @name Injection in Jython
+ * @description Evaluation of a user-controlled malicious expression in Java Python
+ *              interpreter may lead to remote code execution.
+ * @kind path-problem
+ * @id java/jython-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+/** The class `org.python.util.PythonInterpreter`. */
+class PythonInterpreter extends RefType {
+  PythonInterpreter() { this.hasQualifiedName("org.python.util", "PythonInterpreter") }
+}
+
+/** A method that evaluates, compiles or executes a Jython expression. */
+class InterpretExprMethod extends Method {
+  InterpretExprMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof PythonInterpreter and
+    (
+      getName().matches("exec%") or
+      hasName("eval") or
+      hasName("compile") or
+      getName().matches("run%")
+    )
+  }
+}
+
+/** The class `org.python.core.BytecodeLoader`. */
+class BytecodeLoader extends RefType {
+  BytecodeLoader() { this.hasQualifiedName("org.python.core", "BytecodeLoader") }
+}
+
+/** Holds if a Jython expression if evaluated, compiled or executed. */
+predicate runCode(MethodAccess ma, Expr sink) {
+  exists(Method m | m = ma.getMethod() |
+    m instanceof InterpretExprMethod and
+    sink = ma.getArgument(0)
+  )
+}
+
+/** A method that loads Java class data. */
+class LoadClassMethod extends Method {
+  LoadClassMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof BytecodeLoader and
+    (
+      hasName("makeClass") or
+      hasName("makeCode")
+    )
+  }
+}
+
+/** Holds if a Java class file is loaded. */
+predicate loadClass(MethodAccess ma, Expr sink) {
+  exists(Method m, int i | m = ma.getMethod() |
+    m instanceof LoadClassMethod and
+    m.getParameter(i).getType() instanceof Array and // makeClass(java.lang.String name, byte[] data, ...)
+    sink = ma.getArgument(i)
+  )
+}
+
+/** The class `org.python.core.Py`. */
+class Py extends RefType {
+  Py() { this.hasQualifiedName("org.python.core", "Py") }
+}
+
+/** A method that compiles code with `Py`. */
+class PyCompileMethod extends Method {
+  PyCompileMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof Py and
+    getName().matches("compile%")
+  }
+}
+
+/** Holds if source code is compiled with `PyCompileMethod`. */
+predicate compile(MethodAccess ma, Expr sink) {
+  exists(Method m | m = ma.getMethod() |
+    m instanceof PyCompileMethod and
+    sink = ma.getArgument(0)
+  )
+}
+
+/** Sink of an expression loaded by Jython. */
+class CodeInjectionSink extends DataFlow::ExprNode {
+  CodeInjectionSink() {
+    runCode(_, this.getExpr()) or
+    loadClass(_, this.getExpr()) or
+    compile(_, this.getExpr())
+  }
+
+  MethodAccess getMethodAccess() {
+    runCode(result, this.getExpr()) or
+    loadClass(result, this.getExpr()) or
+    compile(result, this.getExpr())
+  }
+}
+
+class CodeInjectionConfiguration extends TaintTracking::Configuration {
+  CodeInjectionConfiguration() { this = "CodeInjectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source instanceof LocalUserInput
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // @RequestBody MyQueryObj query; interpreter.exec(query.getInterpreterCode());
+    exists(MethodAccess ma | ma.getQualifier() = node1.asExpr() and ma = node2.asExpr())
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, CodeInjectionConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode().(CodeInjectionSink).getMethodAccess(), source, sink, "Jython evaluate $@.",
+  source.getNode(), "user input"