cleanup and add header/jndi injection vulns

Author: nahsra

.gitignore

@@ -25,3 +25,4 @@ buildNumber.properties
 .project
 # JDT-specific (Eclipse Java Development Tools)
 .classpath
+.dccache

pom.xml

@@ -37,6 +37,12 @@
   </dependencyManagement>
 
   <dependencies>
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>servlet-api</artifactId>
+      <version>2.5</version>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <groupId>jakarta.ws.rs</groupId>
       <artifactId>jakarta.ws.rs-api</artifactId>

src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java

@@ -0,0 +1,17 @@
+package com.acme.headerinjection;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.QueryParam;
+
+import javax.servlet.http.HttpServletResponse;
+
+@Path("/unsafe-header-injection")
+public class HeaderInjectionVuln {
+
+    @GET
+    public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) {
+        response.setHeader("X-Last-Search", q);
+        return "ok";
+    }
+}

src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java

@@ -0,0 +1,21 @@
+package com.acme.headerinjection;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.QueryParam;
+
+import javax.servlet.http.HttpServletResponse;
+
+@Path("/unsafe-header-injection")
+public class HeaderInjectionVulnFixed {
+
+    @GET
+    public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) {
+        response.setHeader("X-Last-Search", stripNewlines(q));
+        return "ok";
+    }
+
+    private static String stripNewlines(final String q) {
+        return q.replaceAll("[\n\r]", "");
+    }
+}

src/main/java/com/acme/jndi/JNDIVuln.java

@@ -0,0 +1,20 @@
+package com.acme.jndi;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.QueryParam;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+@Path("/unsafe-jndi-lookup")
+public class JNDIVuln {
+
+    @GET
+    public String lookupResource(@QueryParam("resource") final String resource) throws NamingException {
+        Context ctx = new InitialContext();
+        Object obj = ctx.lookup(resource);
+        return String.valueOf(obj);
+    }
+}

src/main/java/com/acme/jndi/JNDIVulnFixed.java

@@ -0,0 +1,32 @@
+package com.acme.jndi;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.QueryParam;
+
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+import java.util.Set;
+
+@Path("/unsafe-jndi-lookup")
+public class JNDIVulnFixed {
+
+    @GET
+    public String lookupResource(@QueryParam("resource") final String resource) throws NamingException {
+        Context ctx = new InitialContext();
+        validateResourceName(resource);
+        Object obj = ctx.lookup(resource);
+        return String.valueOf(obj);
+    }
+
+    private static void validateResourceName(final String name) {
+        if (name != null) {
+            Set<String> illegalNames = Set.of("ldap://", "rmi://", "dns://");
+            String canonicalName = name.toLowerCase().trim();
+            if (illegalNames.stream().anyMatch(canonicalName::startsWith)) {
+                throw new SecurityException("Illegal JNDI resource name: " + name);
+            }
+        }
+    }
+}

src/main/java/com/acme/XXEVuln.java src/main/java/com/acme/xxe/XXEVuln.javasrc/main/java/com/acme/XXEVuln.java renamed to src/main/java/com/acme/xxe/XXEVuln.java

@@ -1,22 +1,20 @@
-package com.acme;
+package com.acme.xxe;
+
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
 
-import java.io.IOException;
-import java.io.StringReader;
-import java.io.StringWriter;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.SQLException;
 import javax.xml.parsers.*;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
-import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-import org.xml.sax.XMLReader;
-import org.xml.sax.helpers.XMLReaderFactory;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
 
 /** Holds various XXE vulns for different APIs. */
 public class XXEVuln {
@@ -25,25 +23,15 @@ public static void main(String[] args)
       throws TransformerException,
           ParserConfigurationException,
           IOException,
-          SAXException,
-          SQLException {
+          SAXException {
     docToString(null);
     saxTransformer(args[0]);
     withDom(args[1]);
     withDomButDisabled(args[2]);
     withReaderFactory(args[3]);
-
-    String sql = "select * from users where name= '" + args[0] + "'";
-    Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test");
-    conn.createStatement().executeQuery(sql);
   }
 
   public static String docToString(final Document poDocument) throws TransformerException {
-    if (true) {
-      int a = 1;
-      return "foo";
-    }
-
     TransformerFactory transformerFactory = TransformerFactory.newInstance();
     Transformer transformer = transformerFactory.newTransformer();
     DOMSource domSrc = new DOMSource(poDocument);

src/main/java/com/acme/XXEVulnFixed.java …main/java/com/acme/xxe/XXEVulnFixed.javasrc/main/java/com/acme/XXEVulnFixed.java renamed to src/main/java/com/acme/xxe/XXEVulnFixed.java src/main/java/com/acme/XXEVulnFixed.java renamed to src/main/java/com/acme/xxe/XXEVulnFixed.java

@@ -1,23 +1,21 @@
-package com.acme;
+package com.acme.xxe;
+
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
 
-import java.io.IOException;
-import java.io.StringReader;
-import java.io.StringWriter;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.SQLException;
 import javax.xml.XMLConstants;
 import javax.xml.parsers.*;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
-import org.w3c.dom.Document;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-import org.xml.sax.XMLReader;
-import org.xml.sax.helpers.XMLReaderFactory;
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
 
 /** Holds various XXE vulns for different APIs. */
 public class XXEVulnFixed {
@@ -26,25 +24,15 @@ public static void main(String[] args)
       throws TransformerException,
           ParserConfigurationException,
           IOException,
-          SAXException,
-          SQLException {
+          SAXException {
     docToString(null);
     saxTransformer(args[0]);
     withDom(args[1]);
     withDomButDisabled(args[2]);
     withReaderFactory(args[3]);
-
-    String sql = "select * from users where name= '" + args[0] + "'";
-    Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test");
-    conn.createStatement().executeQuery(sql);
   }
 
   public static String docToString(final Document poDocument) throws TransformerException {
-    if (true) {
-      int a = 1;
-      return "foo";
-    }
-
     TransformerFactory transformerFactory = TransformerFactory.newInstance();
     transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
     Transformer transformer = transformerFactory.newTransformer();