Skip to content

CodeQL query to detect OGNL injections#3294

Merged
aschackmull merged 4 commits intogithub:masterfrom
ggolawski:ognl-injection
Jun 30, 2020
Merged

CodeQL query to detect OGNL injections#3294
aschackmull merged 4 commits intogithub:masterfrom
ggolawski:ognl-injection

Conversation

@ggolawski
Copy link
Copy Markdown
Contributor

@ggolawski ggolawski commented Apr 19, 2020
edited
Loading

This PR adds a query to detect OGNL injections. It flags the code where user-provided OGNL expression is evaluated (getValue, setValue and callMethod in the below examples):

public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
    Object tree = Ognl.parseExpression(expr);
    Ognl.getValue(tree, new HashMap<>(), new Object());
    Ognl.setValue(tree, new HashMap<>(), new Object());

    Node node = (Node) tree;
    node.getValue(null, new Object());
    node.setValue(null, new Object(), new Object());
  }

  public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
    Node tree = Ognl.compileExpression(null, new Object(), expr);
    Ognl.getValue(tree, new HashMap<>(), new Object());
    Ognl.setValue(tree, new HashMap<>(), new Object());

    tree.getValue(null, new Object());
    tree.setValue(null, new Object(), new Object());
  }

  public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
    Ognl.getValue(expr, new Object());
    Ognl.setValue(expr, new HashMap<>(), new Object());
  }

  public void testStruts(@RequestParam String expr) throws Exception {
    OgnlUtil ognl = new OgnlUtil();
    ognl.getValue(expr, new HashMap<>(), new Object());
    ognl.setValue(expr, new HashMap<>(), new Object(), new Object());
    new OgnlUtil().callMethod(expr, new HashMap<>(), new Object());
  }

Evaluation of unvalidated expressions can let attacker to modify Java objects' properties or execute arbitrary code.

The tests and required qlpack.yml in src/experimental and test/experimental are also included.

@ggolawski ggolawski requested review from a team and felicitymay as code owners April 19, 2020 18:40
@ggolawski ggolawski mentioned this pull request Apr 19, 2020
Closed
1 task
Marcono1234
Marcono1234 reviewed Jun 16, 2020
View reviewed changes
Comment thread java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjection.qhelp Outdated
Comment thread java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll Outdated
aschackmull
aschackmull reviewed Jun 23, 2020
View reviewed changes
Comment thread java/ql/src/experimental/Security/CWE/CWE-917/OgnlInjectionLib.qll
@ggolawski ggolawski requested a review from a team as a code owner June 27, 2020 16:30
@aschackmull aschackmull merged commit 13cb853 into github:master Jun 30, 2020
@ggolawski ggolawski deleted the ognl-injection branch July 13, 2020 18:44
@atorralba atorralba mentioned this pull request May 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aschackmull aschackmull aschackmull approved these changes

@felicitymay felicitymay Awaiting requested review from felicitymay

+1 more reviewer

@Marcono1234 Marcono1234 Marcono1234 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ggolawski @Marcono1234 @aschackmull @atorralba @yo-h