Merge pull request github#5894 from atorralba/atorralba/promote-ognl-injection

Java: Promote OGNL Injection query from experimental

Author: aschackmull

java/change-notes/2021-05-13-ognl-injection-query.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "OGNL Expression Language statement with user-controlled input" (`java/ognl-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @ggolawski](https://github.com/github/codeql/pull/3294).

java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjection.java renamed to java/ql/src/Security/CWE/CWE-917/OgnlInjection.java

@@ -14,4 +14,9 @@ public void evaluate(HttpServletRequest request, Object root) throws OgnlExcepti
   } else {
     // Reject the request
   }
-} 
+}
+
+public void isValid(Strig expression) {
+  // Custom method to validate the expression.
+  // For instance, make sure it doesn't include unexpected code.
+}

java/ql/src/Security/CWE/CWE-917/OgnlInjection.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Object-Graph Navigation Language (OGNL) is an open-source Expression Language (EL) for Java.
+OGNL can create or change executable code, consequently it can introduce critical
+security flaws to any application that uses it. Evaluation of unvalidated expressions is a common
+flaw in OGNL. This exposes the properties of Java objects to modification by an attacker and
+may allow them to execute arbitrary code.</p>
+</overview>
+
+<recommendation>
+<p>The general recommendation is to avoid evaluating untrusted ONGL expressions. If user-provided OGNL
+expressions must be evaluated, do this in a sandbox and validate the expressions before evaluation.</p>
+</recommendation>
+
+<example>
+<p>In the following examples, the code accepts an OGNL expression from the user and evaluates it.
+</p>
+
+<p>In the first example, the user-provided OGNL expression is parsed and evaluated.</p>
+
+<p>The second example validates the expression and evaluates it inside a sandbox.
+You can add a sandbox by setting a system property, as shown in the example, or by adding
+<code>-Dognl.security.manager</code> to JVM arguments.</p>
+
+<sample src="OgnlInjection.java" />
+</example>
+
+<references>
+<li>Apache Commons: <a href="https://commons.apache.org/proper/commons-ognl/">Apache Commons OGNL</a>.</li>
+<li>Struts security: <a href="https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable">Proactively protect from OGNL Expression Injections attacks</a>.</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjection.ql renamed to java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql

@@ -11,12 +11,10 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import DataFlow
+import semmle.code.java.security.OgnlInjectionQuery
 import DataFlow::PathGraph
-import OgnlInjectionLib
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, OgnlInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "OGNL expression might include input from $@.",
+select sink.getNode(), source, sink, "OGNL expression might include data from $@.",
   source.getNode(), "this user input"

java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjection.qhelp

@@ -101,6 +101,7 @@ private module Frameworks {
   private import semmle.code.java.security.JexlInjectionSinkModels
   private import semmle.code.java.security.LdapInjection
   private import semmle.code.java.security.MvelInjection
+  private import semmle.code.java.security.OgnlInjection
   private import semmle.code.java.security.XPath
   private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Jdbc

java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll

@@ -51,6 +51,10 @@ private class JacksonWriteValueMethod extends Method, TaintPreservingCallable {
   }
 }
 
+/**
+ * A method used for deserializing objects using Jackson. The first parameter is the object to be
+ * deserialized.
+ */
 private class JacksonReadValueMethod extends Method, TaintPreservingCallable {
   JacksonReadValueMethod() {
     (
@@ -281,7 +285,10 @@ private class JacksonModel extends SummaryModelCsv {
       [
         "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;Argument[0];ReturnValue;taint",
         "com.fasterxml.jackson.databind;ObjectMapper;true;valueToTree;;;MapValue of Argument[0];ReturnValue;taint",
-        "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint"
+        "com.fasterxml.jackson.databind;ObjectMapper;true;convertValue;;;Argument[0];ReturnValue;taint",
+        "com.fasterxml.jackson.databind;ObjectMapper;false;createParser;;;Argument[0];ReturnValue;taint",
+        "com.fasterxml.jackson.databind;ObjectReader;false;createParser;;;Argument[0];ReturnValue;taint",
+        "com.fasterxml.jackson.core;JsonFactory;false;createParser;;;Argument[0];ReturnValue;taint"
       ]
   }
 }

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -0,0 +1,124 @@
+/** Provides classes to reason about OGNL injection vulnerabilities. */
+
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
+
+/**
+ * A data flow sink for unvalidated user input that is used in OGNL EL evaluation.
+ *
+ * Extend this class to add your own OGNL injection sinks.
+ */
+abstract class OgnlInjectionSink extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to the `OgnlInjectionFlowConfig`.
+ */
+class OgnlInjectionAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for OGNL injection taint configurations.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
+private class DefaultOgnlInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.commons.ognl;Ognl;false;getValue;;;Argument[0];ognl-injection",
+        "org.apache.commons.ognl;Ognl;false;setValue;;;Argument[0];ognl-injection",
+        "org.apache.commons.ognl;Node;true;getValue;;;Argument[-1];ognl-injection",
+        "org.apache.commons.ognl;Node;true;setValue;;;Argument[-1];ognl-injection",
+        "org.apache.commons.ognl.enhance;ExpressionAccessor;true;get;;;Argument[-1];ognl-injection",
+        "org.apache.commons.ognl.enhance;ExpressionAccessor;true;set;;;Argument[-1];ognl-injection",
+        "ognl;Ognl;false;getValue;;;Argument[0];ognl-injection",
+        "ognl;Ognl;false;setValue;;;Argument[0];ognl-injection",
+        "ognl;Node;false;getValue;;;Argument[-1];ognl-injection",
+        "ognl;Node;false;setValue;;;Argument[-1];ognl-injection",
+        "ognl.enhance;ExpressionAccessor;true;get;;;Argument[-1];ognl-injection",
+        "ognl.enhance;ExpressionAccessor;true;set;;;Argument[-1];ognl-injection",
+        "com.opensymphony.xwork2.ognl;OgnlUtil;false;getValue;;;Argument[0];ognl-injection",
+        "com.opensymphony.xwork2.ognl;OgnlUtil;false;setValue;;;Argument[0];ognl-injection",
+        "com.opensymphony.xwork2.ognl;OgnlUtil;false;callMethod;;;Argument[0];ognl-injection"
+      ]
+  }
+}
+
+private class DefaultOgnlInjectionSink extends OgnlInjectionSink {
+  DefaultOgnlInjectionSink() { sinkNode(this, "ognl-injection") }
+}
+
+/** The class `org.apache.commons.ognl.Ognl` or `ognl.Ognl`. */
+private class TypeOgnl extends Class {
+  TypeOgnl() { this.hasQualifiedName(["org.apache.commons.ognl", "ognl"], "Ognl") }
+}
+
+/** The interface `org.apache.commons.ognl.Node` or `ognl.Node`. */
+private class TypeNode extends Interface {
+  TypeNode() { this.hasQualifiedName(["org.apache.commons.ognl", "ognl"], "Node") }
+}
+
+/** The interface `org.apache.commons.ognl.enhance.ExpressionAccessor` or `ognl.enhance.ExpressionAccessor`. */
+private class TypeExpressionAccessor extends Interface {
+  TypeExpressionAccessor() {
+    this.hasQualifiedName(["org.apache.commons.ognl.enhance", "ognl.enhance"], "ExpressionAccessor")
+  }
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and `Object` or `Node`,
+ * i.e. `Ognl.parseExpression(tainted)` or `Ognl.compileExpression(tainted)`.
+ */
+private predicate parseCompileExpressionStep(DataFlow::Node n1, DataFlow::Node n2) {
+  exists(MethodAccess ma, Method m, int index |
+    n1.asExpr() = ma.getArgument(index) and
+    n2.asExpr() = ma and
+    ma.getMethod() = m and
+    m.getDeclaringType() instanceof TypeOgnl
+  |
+    m.hasName("parseExpression") and index = 0
+    or
+    m.hasName("compileExpression") and index = 2
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `Node` and `Accessor`,
+ * i.e. `Node.getAccessor()`.
+ */
+private predicate getAccessorStep(DataFlow::Node n1, DataFlow::Node n2) {
+  exists(MethodAccess ma, Method m |
+    ma.getMethod() = m and
+    m.getDeclaringType().getASupertype*() instanceof TypeNode and
+    m.hasName("getAccessor")
+  |
+    n1.asExpr() = ma.getQualifier() and
+    n2.asExpr() = ma
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `Node` and `Accessor`
+ * in a `setExpression` call, i.e. `accessor.setExpression(tainted)`
+ */
+private predicate setExpressionStep(DataFlow::Node n1, DataFlow::Node n2) {
+  exists(MethodAccess ma, Method m |
+    ma.getMethod() = m and
+    m.hasName("setExpression") and
+    m.getDeclaringType().getASupertype*() instanceof TypeExpressionAccessor
+  |
+    n1.asExpr() = ma.getArgument(0) and
+    n2.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = ma.getQualifier()
+  )
+}
+
+private class DefaultOgnlInjectionAdditionalTaintStep extends OgnlInjectionAdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    parseCompileExpressionStep(node1, node2) or
+    getAccessorStep(node1, node2) or
+    setExpressionStep(node1, node2)
+  }
+}

java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll

@@ -0,0 +1,24 @@
+/** Provides taint tracking configurations to be used in OGNL injection queries. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.OgnlInjection
+
+/**
+ * A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
+ */
+class OgnlInjectionFlowConfig extends TaintTracking::Configuration {
+  OgnlInjectionFlowConfig() { this = "OgnlInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}