Rhino code injection

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java

@@ -0,0 +1,39 @@
+public class RhinoInjection extends HttpServlet {
+
+  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+    response.setContentType("text/plain");
+    String code = request.getParameter("code");
+    Context ctx = Context.enter();
+    try {
+      {
+        // BAD: allow arbitrary Java and JavaScript code to be executed
+        Scriptable scope = ctx.initStandardObjects();
+      }
+
+      {
+        // GOOD: enable the safe mode
+        Scriptable scope = ctx.initSafeStandardObjects();
+      }
+
+      {
+        // GOOD: enforce a constraint on allowed classes
+        Scriptable scope = ctx.initStandardObjects();
+        ctx.setClassShutter(new ClassShutter() {
+            public boolean visibleToScripts(String className) {
+                if(className.startsWith("com.example.")) {
+                    return true;
+                }
+                return false;
+            }
+        });
+      }
+
+      Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
+      response.getWriter().print(Context.toString(result));
+    } catch(RhinoException ex) {
+      response.getWriter().println(ex.getMessage());
+    } finally {
+      Context.exit();
+    }
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qhelp

@@ -0,0 +1,51 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Rhino is a JavaScript engine written fully in Java and managed by the Mozilla Foundation. 
+It serves as an embedded scripting engine inside Java applications which allows 
+Java-to-JavaScript interoperability and provides a seamless integration between the two 
+languages. If an expression is built using attacker-controlled data, and then evaluated in 
+a powerful context, it may allow the attacker to run arbitrary code.
+</p>
+<p>
+Typically an expression is evaluated in the powerful context initialized with 
+<code>initStandardObjects</code> that allows an expression of arbitrary Java code to
+execute in the JVM.
+</p>
+</overview>
+
+<recommendation>
+<p>
+In general, including user input in a Rhino expression should be avoided.
+If user input must be included in the expression, it should be then evaluated in a safe
+context that doesn't allow arbitrary code invocation.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows two ways of using Rhino expression. In the 'BAD' case,
+an unsafe context is initialized with <code>initStandardObjects</code>. In the 'GOOD' case,
+a safe context is initialized with <code>initSafeStandardObjects</code> or 
+<code>setClassShutter</code>.
+</p>
+<sample src="RhinoInjection.java" />
+</example>
+
+<references>
+<li>
+  Mozilla Rhino:
+  <a href="https://github.com/mozilla/rhino">Rhino: JavaScript in Java</a>
+</li>
+<li>
+  Rhino Sandbox:
+  <a href="https://github.com/javadelight/delight-rhino-sandbox">A sandbox to execute JavaScript code with Rhino in Java.</a>
+</li>
+<li>
+  GuardRails:
+  <a href="https://docs.guardrails.io/docs/en/vulnerabilities/java/insecure_use_of_dangerous_function">Code Injection</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Injection in Mozilla Rhino JavaScript Engine
+ * @description Evaluation of a user-controlled JavaScript or Java expression in Rhino
+ *              JavaScript Engine may lead to remote code execution.
+ * @kind path-problem
+ * @id java/rhino-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import RhinoInjection
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RhinoInjectionConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Rhino injection from $@.", source.getNode(), " user input"

java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.qll

@@ -0,0 +1,56 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+
+/** The class `org.mozilla.javascript.Context`. */
+class Context extends RefType {
+  Context() { this.hasQualifiedName("org.mozilla.javascript", "Context") }
+}
+
+/**
+ * A method that evaluates a Rhino expression.
+ */
+class EvaluateExpressionMethod extends Method {
+  EvaluateExpressionMethod() {
+    this.getDeclaringType().getAnAncestor*() instanceof Context and
+    (
+      hasName("evaluateString") or
+      hasName("evaluateReader")
+    )
+  }
+}
+
+/**
+ * A taint-tracking configuration for unsafe user input that is used to evaluate
+ * a Rhino expression.
+ */
+class RhinoInjectionConfig extends TaintTracking::Configuration {
+  RhinoInjectionConfig() { this = "RhinoInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source instanceof LocalUserInput
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof EvaluateExpressionSink }
+}
+
+/**
+ * A sink for Rhino code injection vulnerabilities.
+ */
+class EvaluateExpressionSink extends DataFlow::ExprNode {
+  EvaluateExpressionSink() {
+    exists(MethodAccess ea, EvaluateExpressionMethod m | m = ea.getMethod() |
+      this.asExpr() = ea.getArgument(1) and // The second argument is the JavaScript or Java input
+      not exists(MethodAccess ca |
+        (
+          ca.getMethod().hasName("initSafeStandardObjects") // safe mode
+          or
+          ca.getMethod().hasName("setClassShutter") // `ClassShutter` constraint is enforced
+        ) and
+        ea.getQualifier() = ca.getQualifier().(VarAccess).getVariable().getAnAccess()
+      )
+    )
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.expected

@@ -0,0 +1,7 @@
+edges
+| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code |
+nodes
+| RhinoServlet.java:25:23:25:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:29:55:29:58 | code | semmle.label | code |
+#select
+| RhinoServlet.java:29:55:29:58 | code | RhinoServlet.java:25:23:25:50 | getParameter(...) : String | RhinoServlet.java:29:55:29:58 | code | Rhino injection from $@. | RhinoServlet.java:25:23:25:50 | getParameter(...) |  user input |

java/ql/test/experimental/query-tests/security/CWE-094/RhinoInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/RhinoInjection.ql

java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java

@@ -0,0 +1,78 @@
+import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.mozilla.javascript.ClassShutter;
+import org.mozilla.javascript.Context;
+import org.mozilla.javascript.Scriptable;
+import org.mozilla.javascript.RhinoException;
+
+/**
+ * Servlet implementation class RhinoServlet
+ */
+public class RhinoServlet extends HttpServlet {
+    private static final long serialVersionUID = 1L;
+       
+    public RhinoServlet() {
+        super();
+    }
+
+    // BAD: allow arbitrary Java and JavaScript code to be executed
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        Context ctx = Context.enter();
+        try {
+            Scriptable scope = ctx.initStandardObjects();
+            Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
+            response.getWriter().print(Context.toString(result));
+        } catch(RhinoException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            Context.exit();
+        }
+    }
+
+    // GOOD: enable the safe mode
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        Context ctx = Context.enter();
+        try {
+            Scriptable scope = ctx.initSafeStandardObjects();
+            Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
+            response.getWriter().print(Context.toString(result));
+        } catch(RhinoException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            Context.exit();
+        }
+    }
+
+    // GOOD: enforce a constraint on allowed classes
+    protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        response.setContentType("text/plain");
+        String code = request.getParameter("code");
+        Context ctx = Context.enter();
+        try {
+            Scriptable scope = ctx.initStandardObjects();
+            ctx.setClassShutter(new ClassShutter() {
+                public boolean visibleToScripts(String className) {
+                    if(className.startsWith("com.example.")) {
+                        return true;
+                    }
+                    return false;
+                }
+            });
+
+            Object result = ctx.evaluateString(scope, code, "<code>", 1, null);
+            response.getWriter().print(Context.toString(result));
+        } catch(RhinoException ex) {
+            response.getWriter().println(ex.getMessage());
+        } finally {
+            Context.exit();
+        }
+    }    
+}

java/ql/test/experimental/query-tests/security/CWE-094/options

@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13
 

java/ql/test/experimental/stubs/rhino-1.7.13/org/mozilla/javascript/ClassShutter.java

@@ -0,0 +1,56 @@
+/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+// API class
+
+package org.mozilla.javascript;
+
+/**
+Embeddings that wish to filter Java classes that are visible to scripts
+through the LiveConnect, should implement this interface.
+
+@see Context#setClassShutter(ClassShutter)
+@since 1.5 Release 4
+@author Norris Boyd
+*/
+
+ public interface ClassShutter {
+
+    /**
+     * Return true iff the Java class with the given name should be exposed
+     * to scripts.
+     * <p>
+     * An embedding may filter which Java classes are exposed through
+     * LiveConnect to JavaScript scripts.
+     * <p>
+     * Due to the fact that there is no package reflection in Java,
+     * this method will also be called with package names. There
+     * is no way for Rhino to tell if "Packages.a.b" is a package name
+     * or a class that doesn't exist. What Rhino does is attempt
+     * to load each segment of "Packages.a.b.c": It first attempts to
+     * load class "a", then attempts to load class "a.b", then
+     * finally attempts to load class "a.b.c". On a Rhino installation
+     * without any ClassShutter set, and without any of the
+     * above classes, the expression "Packages.a.b.c" will result in
+     * a [JavaPackage a.b.c] and not an error.
+     * <p>
+     * With ClassShutter supplied, Rhino will first call
+     * visibleToScripts before attempting to look up the class name. If
+     * visibleToScripts returns false, the class name lookup is not
+     * performed and subsequent Rhino execution assumes the class is
+     * not present. So for "java.lang.System.out.println" the lookup
+     * of "java.lang.System" is skipped and thus Rhino assumes that
+     * "java.lang.System" doesn't exist. So then for "java.lang.System.out",
+     * Rhino attempts to load the class "java.lang.System.out" because
+     * it assumes that "java.lang.System" is a package name.
+     * <p>
+     * @param fullClassName the full name of the class (including the package
+     *                      name, with '.' as a delimiter). For example the
+     *                      standard string class is "java.lang.String"
+     * @return whether or not to reveal this class to scripts
+     */
+    public boolean visibleToScripts(String fullClassName);
+}