Skip to content

Commit b39a3ab

Browse files
artem-smotrakovartem-smotrakov
committed
Added setVariable() sink
1 parent a764a79 commit b39a3ab

File tree

4 files changed

+30
-13
lines changed

4 files changed

+30
-13
lines changed

java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,10 @@ private class ExpressionEvaluationSink extends DataFlow::ExprNode {
4444
m.getDeclaringType() instanceof ELProcessor and
4545
m.hasName(["eval", "getValue", "setValue"]) and
4646
ma.getArgument(0) = taintFrom
47+
or
48+
m.getDeclaringType() instanceof ELProcessor and
49+
m.hasName("setVariable") and
50+
ma.getArgument(1) = taintFrom
4751
)
4852
}
4953
}

java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected

Lines changed: 18 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,17 @@ edges
55
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:44:24:44:33 | expression : String |
66
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:54:24:54:33 | expression : String |
77
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:61:24:61:33 | expression : String |
8-
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:70:24:70:33 | expression : String |
9-
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:79:24:79:33 | expression : String |
8+
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:68:24:68:33 | expression : String |
9+
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:77:24:77:33 | expression : String |
10+
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | JakartaExpressionInjection.java:86:24:86:33 | expression : String |
1011
| JakartaExpressionInjection.java:30:24:30:33 | expression : String | JakartaExpressionInjection.java:32:28:32:37 | expression |
1112
| JakartaExpressionInjection.java:37:24:37:33 | expression : String | JakartaExpressionInjection.java:39:32:39:41 | expression |
1213
| JakartaExpressionInjection.java:44:24:44:33 | expression : String | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
1314
| JakartaExpressionInjection.java:54:24:54:33 | expression : String | JakartaExpressionInjection.java:56:32:56:41 | expression |
14-
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e |
15-
| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e |
16-
| JakartaExpressionInjection.java:79:24:79:33 | expression : String | JakartaExpressionInjection.java:83:13:83:13 | e |
15+
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:63:43:63:52 | expression |
16+
| JakartaExpressionInjection.java:68:24:68:33 | expression : String | JakartaExpressionInjection.java:72:13:72:13 | e |
17+
| JakartaExpressionInjection.java:77:24:77:33 | expression : String | JakartaExpressionInjection.java:81:13:81:13 | e |
18+
| JakartaExpressionInjection.java:86:24:86:33 | expression : String | JakartaExpressionInjection.java:90:13:90:13 | e |
1719
nodes
1820
| JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
1921
| JakartaExpressionInjection.java:24:31:24:40 | expression : String | semmle.label | expression : String |
@@ -26,16 +28,19 @@ nodes
2628
| JakartaExpressionInjection.java:54:24:54:33 | expression : String | semmle.label | expression : String |
2729
| JakartaExpressionInjection.java:56:32:56:41 | expression | semmle.label | expression |
2830
| JakartaExpressionInjection.java:61:24:61:33 | expression : String | semmle.label | expression : String |
29-
| JakartaExpressionInjection.java:65:13:65:13 | e | semmle.label | e |
30-
| JakartaExpressionInjection.java:70:24:70:33 | expression : String | semmle.label | expression : String |
31-
| JakartaExpressionInjection.java:74:13:74:13 | e | semmle.label | e |
32-
| JakartaExpressionInjection.java:79:24:79:33 | expression : String | semmle.label | expression : String |
33-
| JakartaExpressionInjection.java:83:13:83:13 | e | semmle.label | e |
31+
| JakartaExpressionInjection.java:63:43:63:52 | expression | semmle.label | expression |
32+
| JakartaExpressionInjection.java:68:24:68:33 | expression : String | semmle.label | expression : String |
33+
| JakartaExpressionInjection.java:72:13:72:13 | e | semmle.label | e |
34+
| JakartaExpressionInjection.java:77:24:77:33 | expression : String | semmle.label | expression : String |
35+
| JakartaExpressionInjection.java:81:13:81:13 | e | semmle.label | e |
36+
| JakartaExpressionInjection.java:86:24:86:33 | expression : String | semmle.label | expression : String |
37+
| JakartaExpressionInjection.java:90:13:90:13 | e | semmle.label | e |
3438
#select
3539
| JakartaExpressionInjection.java:32:28:32:37 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:32:28:32:37 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
3640
| JakartaExpressionInjection.java:39:32:39:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:39:32:39:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
3741
| JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
3842
| JakartaExpressionInjection.java:56:32:56:41 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:56:32:56:41 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
39-
| JakartaExpressionInjection.java:65:13:65:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:65:13:65:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
40-
| JakartaExpressionInjection.java:74:13:74:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:74:13:74:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
41-
| JakartaExpressionInjection.java:83:13:83:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:83:13:83:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
43+
| JakartaExpressionInjection.java:63:43:63:52 | expression | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:63:43:63:52 | expression | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
44+
| JakartaExpressionInjection.java:72:13:72:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:72:13:72:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
45+
| JakartaExpressionInjection.java:81:13:81:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:81:13:81:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |
46+
| JakartaExpressionInjection.java:90:13:90:13 | e | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:90:13:90:13 | e | Jakarta Expression Language injection from $@. | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,13 @@ private static void testWithELProcessorSetValue() throws IOException {
5757
});
5858
}
5959

60+
private static void testWithELProcessorSetVariable() throws IOException {
61+
testWithSocket(expression -> {
62+
ELProcessor processor = new ELProcessor();
63+
processor.setVariable("test", expression);
64+
});
65+
}
66+
6067
private static void testWithJuelValueExpressionGetValue() throws IOException {
6168
testWithSocket(expression -> {
6269
ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl();

java/ql/test/stubs/java-ee-el/javax/el/ELProcessor.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,5 @@ public class ELProcessor {
44
public Object eval(String expression) { return null; }
55
public Object getValue(String expression, Class<?> expectedType) { return null; }
66
public void setValue(String expression, Object value) {}
7+
public void setVariable(String var, String expression) {}
78
}

0 commit comments

Comments
 (0)