Callable.call() should not be a sink in JexlInjection.ql

Author: artem-smotrakov

java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll

@@ -36,6 +36,11 @@ private class TaintedSpringRequestBody extends DataFlow::Node {
 /**
  * A sink for Expresssion Language injection vulnerabilities via Jexl,
  * i.e. method calls that run evaluation of a Jexl expression.
+ *
+ * Creating a `Callable` from a tainted Jexl expression or script is considered as a sink
+ * although the tainted expression is not executed at this point.
+ * Here we assume that it will get executed at some point,
+ * maybe stored in an object field and then reached by a different flow.
  */
 private class JexlEvaluationSink extends DataFlow::ExprNode {
   JexlEvaluationSink() {
@@ -44,13 +49,11 @@ private class JexlEvaluationSink extends DataFlow::ExprNode {
     |
       m instanceof DirectJexlEvaluationMethod and ma.getQualifier() = taintFrom
       or
-      m instanceof CallableCallMethod and ma.getQualifier() = taintFrom
+      m instanceof CreateJexlCallableMethod and ma.getQualifier() = taintFrom
       or
       m instanceof JexlEngineGetSetPropertyMethod and
-      exists(Expr arg, int index | arg = ma.getArgument(index) and index = [1, 2] |
-        arg.getType() instanceof TypeString and
-        arg = taintFrom
-      )
+      taintFrom.getType() instanceof TypeString and
+      ma.getAnArgument() = taintFrom
     )
   }
 }
@@ -67,23 +70,20 @@ private class TaintPropagatingJexlMethodCall extends MethodAccess {
       this.getMethod() = m and
       taintType = taintFromExpr.getType()
     |
-      m instanceof CreateJexlScriptMethod and
-      taintFromExpr = this.getArgument(0) and
-      taintType instanceof TypeString and
-      isUnsafeEngine(this.getQualifier())
-      or
-      m instanceof CreateJexlCallableMethod and
-      taintFromExpr = this.getQualifier()
-      or
-      m instanceof CreateJexlExpressionMethod and
-      taintFromExpr = this.getAnArgument() and
-      taintType instanceof TypeString and
-      isUnsafeEngine(this.getQualifier())
-      or
-      m instanceof CreateJexlTemplateMethod and
-      (taintType instanceof TypeString or taintType instanceof Reader) and
-      taintFromExpr = this.getArgument([0, 1]) and
-      isUnsafeEngine(this.getQualifier())
+      isUnsafeEngine(this.getQualifier()) and
+      (
+        m instanceof CreateJexlScriptMethod and
+        taintFromExpr = this.getArgument(0) and
+        taintType instanceof TypeString
+        or
+        m instanceof CreateJexlExpressionMethod and
+        taintFromExpr = this.getAnArgument() and
+        taintType instanceof TypeString
+        or
+        m instanceof CreateJexlTemplateMethod and
+        (taintType instanceof TypeString or taintType instanceof Reader) and
+        taintFromExpr = this.getArgument([0, 1])
+      )
     )
   }
 
@@ -97,7 +97,7 @@ private class TaintPropagatingJexlMethodCall extends MethodAccess {
 }
 
 /**
- * Holds if `expr` is one of the Jexl engines that is not configured with a sandbox.
+ * Holds if `expr` is a Jexl engine that is not configured with a sandbox.
  */
 private predicate isUnsafeEngine(Expr expr) {
   not exists(SandboxedJexlFlowConfig config | config.hasFlowTo(DataFlow::exprNode(expr)))
@@ -182,13 +182,6 @@ private class DirectJexlEvaluationMethod extends Method {
   }
 }
 
-/**
- * A method in the `Callable` class that executes the `Callable`.
- */
-private class CallableCallMethod extends Method {
-  CallableCallMethod() { getDeclaringType() instanceof CallableInterface and hasName("call") }
-}
-
 /**
  * Defines methods that create a Jexl script.
  */
@@ -272,14 +265,6 @@ private class UnifiedJexlTemplate extends NestedType {
   UnifiedJexlTemplate() { getEnclosingType() instanceof UnifiedJexl and hasName("Template") }
 }
 
-private class CallableInterface extends RefType {
-  CallableInterface() {
-    getSourceDeclaration()
-        .getASourceSupertype*()
-        .hasQualifiedName("java.util.concurrent", "Callable")
-  }
-}
-
 private class Reader extends RefType {
   Reader() { hasQualifiedName("java.io", "Reader") }
 }

java/ql/test/experimental/query-tests/security/CWE-094/JexlInjection.expected

@@ -2,7 +2,7 @@ edges
 | Jexl2Injection.java:10:43:10:57 | jexlExpr : String | Jexl2Injection.java:14:9:14:9 | e |
 | Jexl2Injection.java:17:55:17:69 | jexlExpr : String | Jexl2Injection.java:22:9:22:9 | e |
 | Jexl2Injection.java:25:39:25:53 | jexlExpr : String | Jexl2Injection.java:29:9:29:14 | script |
-| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | Jexl2Injection.java:38:13:38:31 | callable(...) |
+| Jexl2Injection.java:32:50:32:64 | jexlExpr : String | Jexl2Injection.java:38:13:38:18 | script |
 | Jexl2Injection.java:44:57:44:71 | jexlExpr : String | Jexl2Injection.java:46:40:46:47 | jexlExpr |
 | Jexl2Injection.java:49:57:49:71 | jexlExpr : String | Jexl2Injection.java:51:40:51:47 | jexlExpr |
 | Jexl2Injection.java:54:73:54:87 | jexlExpr : String | Jexl2Injection.java:57:9:57:35 | parse(...) |
@@ -39,13 +39,13 @@ edges
 | Jexl3Injection.java:15:43:15:57 | jexlExpr : String | Jexl3Injection.java:19:9:19:9 | e |
 | Jexl3Injection.java:22:55:22:69 | jexlExpr : String | Jexl3Injection.java:26:9:26:9 | e |
 | Jexl3Injection.java:29:39:29:53 | jexlExpr : String | Jexl3Injection.java:33:9:33:14 | script |
-| Jexl3Injection.java:36:50:36:64 | jexlExpr : String | Jexl3Injection.java:42:13:42:31 | callable(...) |
+| Jexl3Injection.java:36:50:36:64 | jexlExpr : String | Jexl3Injection.java:42:13:42:18 | script |
 | Jexl3Injection.java:48:57:48:71 | jexlExpr : String | Jexl3Injection.java:50:40:50:47 | jexlExpr |
 | Jexl3Injection.java:53:57:53:71 | jexlExpr : String | Jexl3Injection.java:55:40:55:47 | jexlExpr |
 | Jexl3Injection.java:58:74:58:88 | jexlExpr : String | Jexl3Injection.java:61:9:61:39 | createExpression(...) |
 | Jexl3Injection.java:64:73:64:87 | jexlExpr : String | Jexl3Injection.java:67:9:67:39 | createExpression(...) |
 | Jexl3Injection.java:70:72:70:86 | jexlExpr : String | Jexl3Injection.java:73:9:73:37 | createTemplate(...) |
-| Jexl3Injection.java:76:54:76:68 | jexlExpr : String | Jexl3Injection.java:82:13:82:26 | callable(...) |
+| Jexl3Injection.java:76:54:76:68 | jexlExpr : String | Jexl3Injection.java:82:13:82:13 | e |
 | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:94:31:94:38 | jexlExpr : String |
 | Jexl3Injection.java:94:31:94:38 | jexlExpr : String | Jexl3Injection.java:102:24:102:56 | jexlExpr : String |
 | Jexl3Injection.java:94:31:94:38 | jexlExpr : String | Jexl3Injection.java:106:24:106:68 | jexlExpr : String |
@@ -91,7 +91,7 @@ nodes
 | Jexl2Injection.java:25:39:25:53 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl2Injection.java:29:9:29:14 | script | semmle.label | script |
 | Jexl2Injection.java:32:50:32:64 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl2Injection.java:38:13:38:31 | callable(...) | semmle.label | callable(...) |
+| Jexl2Injection.java:38:13:38:18 | script | semmle.label | script |
 | Jexl2Injection.java:44:57:44:71 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl2Injection.java:46:40:46:47 | jexlExpr | semmle.label | jexlExpr |
 | Jexl2Injection.java:49:57:49:71 | jexlExpr : String | semmle.label | jexlExpr : String |
@@ -129,7 +129,7 @@ nodes
 | Jexl3Injection.java:29:39:29:53 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl3Injection.java:33:9:33:14 | script | semmle.label | script |
 | Jexl3Injection.java:36:50:36:64 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:42:13:42:31 | callable(...) | semmle.label | callable(...) |
+| Jexl3Injection.java:42:13:42:18 | script | semmle.label | script |
 | Jexl3Injection.java:48:57:48:71 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl3Injection.java:50:40:50:47 | jexlExpr | semmle.label | jexlExpr |
 | Jexl3Injection.java:53:57:53:71 | jexlExpr : String | semmle.label | jexlExpr : String |
@@ -141,7 +141,7 @@ nodes
 | Jexl3Injection.java:70:72:70:86 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl3Injection.java:73:9:73:37 | createTemplate(...) | semmle.label | createTemplate(...) |
 | Jexl3Injection.java:76:54:76:68 | jexlExpr : String | semmle.label | jexlExpr : String |
-| Jexl3Injection.java:82:13:82:26 | callable(...) | semmle.label | callable(...) |
+| Jexl3Injection.java:82:13:82:13 | e | semmle.label | e |
 | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | Jexl3Injection.java:94:31:94:38 | jexlExpr : String | semmle.label | jexlExpr : String |
 | Jexl3Injection.java:102:24:102:56 | jexlExpr : String | semmle.label | jexlExpr : String |
@@ -174,7 +174,7 @@ nodes
 | Jexl2Injection.java:14:9:14:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:14:9:14:9 | e | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
 | Jexl2Injection.java:22:9:22:9 | e | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:22:9:22:9 | e | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
 | Jexl2Injection.java:29:9:29:14 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:29:9:29:14 | script | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
-| Jexl2Injection.java:38:13:38:31 | callable(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:38:13:38:31 | callable(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
+| Jexl2Injection.java:38:13:38:18 | script | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:38:13:38:18 | script | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
 | Jexl2Injection.java:46:40:46:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:46:40:46:47 | jexlExpr | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
 | Jexl2Injection.java:51:40:51:47 | jexlExpr | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:51:40:51:47 | jexlExpr | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
 | Jexl2Injection.java:57:9:57:35 | parse(...) | Jexl2Injection.java:76:25:76:47 | getInputStream(...) : InputStream | Jexl2Injection.java:57:9:57:35 | parse(...) | Jexl injection from $@. | Jexl2Injection.java:76:25:76:47 | getInputStream(...) | this user input |
@@ -186,10 +186,10 @@ nodes
 | Jexl3Injection.java:19:9:19:9 | e | Jexl3Injection.java:161:13:161:52 | customRequest : CustomRequest | Jexl3Injection.java:19:9:19:9 | e | Jexl injection from $@. | Jexl3Injection.java:161:13:161:52 | customRequest | this user input |
 | Jexl3Injection.java:26:9:26:9 | e | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:26:9:26:9 | e | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
 | Jexl3Injection.java:33:9:33:14 | script | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:33:9:33:14 | script | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:42:13:42:31 | callable(...) | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:42:13:42:31 | callable(...) | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:42:13:42:18 | script | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:42:13:42:18 | script | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
 | Jexl3Injection.java:50:40:50:47 | jexlExpr | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:50:40:50:47 | jexlExpr | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
 | Jexl3Injection.java:55:40:55:47 | jexlExpr | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:55:40:55:47 | jexlExpr | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
 | Jexl3Injection.java:61:9:61:39 | createExpression(...) | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:61:9:61:39 | createExpression(...) | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
 | Jexl3Injection.java:67:9:67:39 | createExpression(...) | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:67:9:67:39 | createExpression(...) | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
 | Jexl3Injection.java:73:9:73:37 | createTemplate(...) | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:73:9:73:37 | createTemplate(...) | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
-| Jexl3Injection.java:82:13:82:26 | callable(...) | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:82:13:82:26 | callable(...) | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |
+| Jexl3Injection.java:82:13:82:13 | e | Jexl3Injection.java:92:25:92:47 | getInputStream(...) : InputStream | Jexl3Injection.java:82:13:82:13 | e | Jexl injection from $@. | Jexl3Injection.java:92:25:92:47 | getInputStream(...) | this user input |