Merge pull request github#5349 from p0wn4j/fix-nashorn-engine-1

aschackmull · web-flow · commit e63f81171cef · 2021-03-08T13:23:36.000+01:00
Java: Fix NashornScriptEngine detection in ScriptEngine query
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/NashornScriptEngine.java b/java/ql/src/experimental/Security/CWE/CWE-094/NashornScriptEngine.java
@@ -0,0 +1,4 @@
+// Bad: Execute externally controlled input in Nashorn Script Engine
+NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
+NashornScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting"});
+Object result = engine.eval(input);
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.qhelp
@@ -15,11 +15,12 @@ It allows applications to interact with scripts written in languages such as Jav
 <example>
 <p>The following code could execute random JavaScript code</p>
 <sample src="ScriptEngine.java" />
+<sample src="NashornScriptEngine.java" />
 </example>
 
 <references>
 <li>
 CERT coding standard: <a href="https://wiki.sei.cmu.edu/confluence/display/java/IDS52-J.+Prevent+code+injection">ScriptEngine code injection</a>
 </li>
 </references>
-</qhelp>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptEngine.ql
@@ -15,7 +15,7 @@ import DataFlow::PathGraph
 
 class ScriptEngineMethod extends Method {
   ScriptEngineMethod() {
-    this.getDeclaringType().hasQualifiedName("javax.script", "ScriptEngine") and
+    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngine") and
     this.hasName("eval")
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.expected b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.expected
@@ -0,0 +1,32 @@
+edges
+| ScriptEngineTest.java:8:44:8:55 | input : String | ScriptEngineTest.java:12:37:12:41 | input |
+| ScriptEngineTest.java:15:51:15:62 | input : String | ScriptEngineTest.java:19:31:19:35 | input |
+| ScriptEngineTest.java:23:58:23:69 | input : String | ScriptEngineTest.java:27:31:27:35 | input |
+| ScriptEngineTest.java:30:46:30:57 | input : String | ScriptEngineTest.java:34:31:34:35 | input |
+| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:38:56:38:62 | ...[...] : String |
+| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:39:63:39:69 | ...[...] : String |
+| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:40:70:40:76 | ...[...] : String |
+| ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:41:58:41:64 | ...[...] : String |
+| ScriptEngineTest.java:38:56:38:62 | ...[...] : String | ScriptEngineTest.java:8:44:8:55 | input : String |
+| ScriptEngineTest.java:39:63:39:69 | ...[...] : String | ScriptEngineTest.java:15:51:15:62 | input : String |
+| ScriptEngineTest.java:40:70:40:76 | ...[...] : String | ScriptEngineTest.java:23:58:23:69 | input : String |
+| ScriptEngineTest.java:41:58:41:64 | ...[...] : String | ScriptEngineTest.java:30:46:30:57 | input : String |
+nodes
+| ScriptEngineTest.java:8:44:8:55 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:12:37:12:41 | input | semmle.label | input |
+| ScriptEngineTest.java:15:51:15:62 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:19:31:19:35 | input | semmle.label | input |
+| ScriptEngineTest.java:23:58:23:69 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:27:31:27:35 | input | semmle.label | input |
+| ScriptEngineTest.java:30:46:30:57 | input : String | semmle.label | input : String |
+| ScriptEngineTest.java:34:31:34:35 | input | semmle.label | input |
+| ScriptEngineTest.java:37:26:37:38 | args : String[] | semmle.label | args : String[] |
+| ScriptEngineTest.java:38:56:38:62 | ...[...] : String | semmle.label | ...[...] : String |
+| ScriptEngineTest.java:39:63:39:69 | ...[...] : String | semmle.label | ...[...] : String |
+| ScriptEngineTest.java:40:70:40:76 | ...[...] : String | semmle.label | ...[...] : String |
+| ScriptEngineTest.java:41:58:41:64 | ...[...] : String | semmle.label | ...[...] : String |
+#select
+| ScriptEngineTest.java:12:19:12:42 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:12:37:12:41 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
+| ScriptEngineTest.java:19:19:19:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:19:31:19:35 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
+| ScriptEngineTest.java:27:19:27:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:27:31:27:35 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
+| ScriptEngineTest.java:34:19:34:36 | eval(...) | ScriptEngineTest.java:37:26:37:38 | args : String[] | ScriptEngineTest.java:34:31:34:35 | input | ScriptEngine eval $@. | ScriptEngineTest.java:37:26:37:38 | args | user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngine.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/ScriptEngine.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java
@@ -0,0 +1,58 @@
+import jdk.nashorn.api.scripting.NashornScriptEngine;
+import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
+import javax.script.*;
+
+
+public class ScriptEngineTest {
+
+	public void testWithScriptEngineReference(String input) throws ScriptException {
+		ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
+		// Create with ScriptEngine reference
+		ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
+		Object result = scriptEngine.eval(input);
+	}
+	
+	public void testNashornWithScriptEngineReference(String input) throws ScriptException {
+		NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
+		// Create Nashorn with ScriptEngine reference
+		ScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
+		Object result = engine.eval(input);
+	}
+
+	
+	public void testNashornWithNashornScriptEngineReference(String input) throws ScriptException {
+		NashornScriptEngineFactory factory = new NashornScriptEngineFactory();
+		// Create Nashorn with NashornScriptEngine reference
+		NashornScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
+		Object result = engine.eval(input);
+	}
+	
+	public void testCustomScriptEngineReference(String input) throws ScriptException {
+		MyCustomFactory factory = new MyCustomFactory();
+		//Create with Custom Script Engine reference
+		MyCustomScriptEngine engine = (MyCustomScriptEngine) factory.getScriptEngine(new String[] { "-scripting" });
+		Object result = engine.eval(input);
+	}
+	
+	public static void main(String[] args) throws ScriptException {
+		new ScriptEngineTest().testWithScriptEngineReference(args[0]);
+		new ScriptEngineTest().testNashornWithScriptEngineReference(args[0]);
+		new ScriptEngineTest().testNashornWithNashornScriptEngineReference(args[0]);
+		new ScriptEngineTest().testCustomScriptEngineReference(args[0]);
+	}
+	
+	private static class MyCustomScriptEngine extends AbstractScriptEngine {
+		public Object eval(String var1) throws ScriptException {
+			return null;
+		}
+	}
+	
+	private static class MyCustomFactory implements ScriptEngineFactory {
+		public MyCustomFactory() {
+    		}
+    		
+    		public ScriptEngine getScriptEngine() { return null; }
+
+		public ScriptEngine getScriptEngine(String... args) { return null; }
+	}
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/options b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine
+
diff --git a/java/ql/test/stubs/scriptengine/javax/script/AbstractScriptEngine.java b/java/ql/test/stubs/scriptengine/javax/script/AbstractScriptEngine.java
@@ -0,0 +1,8 @@
+package javax.script;
+
+public abstract class AbstractScriptEngine implements ScriptEngine {
+	public Object eval(String var1) throws ScriptException {
+		return null;
+	}
+}
+
diff --git a/java/ql/test/stubs/scriptengine/javax/script/ScriptEngine.java b/java/ql/test/stubs/scriptengine/javax/script/ScriptEngine.java
@@ -0,0 +1,6 @@
+package javax.script;
+
+public interface ScriptEngine {
+    Object eval(String var1) throws ScriptException;
+}
+
diff --git a/java/ql/test/stubs/scriptengine/javax/script/ScriptEngineFactory.java b/java/ql/test/stubs/scriptengine/javax/script/ScriptEngineFactory.java
@@ -0,0 +1,6 @@
+package javax.script;
+
+public interface ScriptEngineFactory {
+    ScriptEngine getScriptEngine();
+}
+
diff --git a/java/ql/test/stubs/scriptengine/javax/script/ScriptEngineManager.java b/java/ql/test/stubs/scriptengine/javax/script/ScriptEngineManager.java
@@ -0,0 +1,22 @@
+package javax.script;
+
+public class ScriptEngineManager {
+
+
+    public ScriptEngineManager() {
+
+    }
+
+    public ScriptEngine getEngineByName(String shortName) {
+	return null;
+    }
+
+    public ScriptEngine getEngineByExtension(String extension) {
+        return null;
+    }
+
+    public ScriptEngine getEngineByMimeType(String mimeType) {
+	return null;
+    }
+}
+
diff --git a/java/ql/test/stubs/scriptengine/javax/script/ScriptException.java b/java/ql/test/stubs/scriptengine/javax/script/ScriptException.java
@@ -0,0 +1,7 @@
+package javax.script;
+
+public class ScriptException extends Exception {
+    public ScriptException(String s) {
+    }
+}
+
diff --git a/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngine.java b/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngine.java
@@ -0,0 +1,10 @@
+package jdk.nashorn.api.scripting;
+
+import javax.script.*;
+
+public final class NashornScriptEngine extends AbstractScriptEngine {
+	public Object eval(String var1) throws ScriptException {
+		return null;
+	}
+}
+
diff --git a/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java b/java/ql/test/stubs/scriptengine/jdk/nashorn/api/scripting/NashornScriptEngineFactory.java
@@ -0,0 +1,22 @@
+package jdk.nashorn.api.scripting;
+
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineFactory;
+
+
+public final class NashornScriptEngineFactory implements ScriptEngineFactory {
+
+    public NashornScriptEngineFactory() {
+    }
+
+
+    public ScriptEngine getScriptEngine() {
+        return null;
+    }
+
+
+    public ScriptEngine getScriptEngine(String... args) {
+        return null;
+    }
+}
+

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ import DataFlow::PathGraph`
`15`	`15`
`16`	`16`	`class ScriptEngineMethod extends Method {`
`17`	`17`	`ScriptEngineMethod() {`
`18`		`- this.getDeclaringType().hasQualifiedName("javax.script", "ScriptEngine") and`
	`18`	`+ this.getDeclaringType().getASupertype*().hasQualifiedName("javax.script", "ScriptEngine") and`
`19`	`19`	`this.hasName("eval")`
`20`	`20`	`}`
`21`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE/CWE-094/ScriptEngine.ql`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../../stubs/scriptengine`
	`2`	`+`