Merge pull request github#2850 from SpaceWhite/CWE-094

aschackmull · web-flow · commit 9fc75f1f9291 · 2020-03-13T13:43:09.000+01:00
ScriptEngine java code injection
diff --git a/java/ql/src/experimental/CWE-094/ScriptEngine.java b/java/ql/src/experimental/CWE-094/ScriptEngine.java
@@ -0,0 +1,4 @@
+// Bad: ScriptEngine allows arbitrary code injection
+ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
+ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
+Object result = scriptEngine.eval(code);
diff --git a/java/ql/src/experimental/CWE-094/ScriptEngine.qhelp b/java/ql/src/experimental/CWE-094/ScriptEngine.qhelp
@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>The ScriptEngine API has been available since the release of Java 6.
+It allows applications to interact with scripts written in languages such as JavaScript.</p>
+</overview>
+
+<recommendation>
+<p>Use "Cloudbees Rhino Sandbox" or sandboxing with SecurityManager or use <a href="https://www.graalvm.org/">graalvm</a> instead.</p>
+</recommendation>
+
+<example>
+<p>The following code could execute random JavaScript code</p>
+<sample src="ScriptEngine.java" />
+</example>
+
+<references>
+<li>
+CERT coding standard: <a href="https://wiki.sei.cmu.edu/confluence/display/java/IDS52-J.+Prevent+code+injection">ScriptEngine code injection</a>
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/CWE-094/ScriptEngine.ql b/java/ql/src/experimental/CWE-094/ScriptEngine.ql
@@ -0,0 +1,51 @@
+/**
+ * @name ScriptEngine evaluation
+ * @description Malicious Javascript code could cause arbitrary command execution at the OS level
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/unsafe-eval
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+class ScriptEngineMethod extends Method {
+  ScriptEngineMethod() {
+    this.getDeclaringType().hasQualifiedName("javax.script", "ScriptEngine") and
+    this.hasName("eval")
+  }
+}
+
+predicate scriptEngine(MethodAccess ma, Expr sink) {
+  exists(Method m | m = ma.getMethod() |
+    m instanceof ScriptEngineMethod and
+    sink = ma.getArgument(0)
+  )
+}
+
+class ScriptEngineSink extends DataFlow::ExprNode {
+  ScriptEngineSink() { scriptEngine(_, this.getExpr()) }
+
+  MethodAccess getMethodAccess() { scriptEngine(result, this.getExpr()) }
+}
+
+class ScriptEngineConfiguration extends TaintTracking::Configuration {
+  ScriptEngineConfiguration() { this = "ScriptEngineConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource
+    or
+    source instanceof LocalUserInput
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof ScriptEngineSink }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, ScriptEngineConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode().(ScriptEngineSink).getMethodAccess(), source, sink, "ScriptEngine eval $@.",
+  source.getNode(), "user input"
