PetStore Vulnerable Application

Overview

Multi-module Java Maven application designed for testing static analysis tools. This application intentionally contains a vulnerable dependency (Apache Commons Text 1.9) with clear call chains from API endpoints to the vulnerable code.

Purpose

This application is specifically designed to test the autovulcanx-core static analyzer engine's ability to:

• Detect vulnerable dependencies (CVE-2022-42889)
• Track call graphs from entry points to vulnerable code
• Analyze method chains across multiple modules
• Identify data flow through complex architectures

Vulnerability Details

CVE-2022-42889

• Component: Apache Commons Text 1.9
• Class: org.apache.commons.text.StringSubstitutor
• Severity: Critical (CVSS 9.8)
• Issue: Script engine code execution via variable interpolation
• Exploit: ${script:javascript:java.lang.Runtime.getRuntime().exec("calc")}

Project Structure

petstore-parent/
├── petstore-domain/          # Entity classes (Pet, Customer, Order)
├── petstore-data/            # Data access with VULNERABLE TemplateProcessor
├── petstore-service/         # Business logic layer
└── petstore-api/             # REST controllers (Entry points)

Module Dependencies

petstore-api
    └─> petstore-service
            └─> petstore-data
                    ├─> petstore-domain
                    └─> commons-text:1.9 (VULNERABLE)

Vulnerable Call Chains

Chain 1: Pet Advertisement

PetController.getPetAdvertisement()
    └─> PetService.generatePetAdvertisement()
        └─> PetRepository.generatePetDescription()
            └─> TemplateProcessor.processTemplate()
                └─> StringSubstitutor.replace() ⚠️ VULNERABLE

Chain 2: Custom Listing (User-controlled template)

PetController.createCustomListing(id, customFormat)
    └─> PetService.createCustomPetListing()
        └─> PetRepository.generatePetListing()
            └─> TemplateProcessor.processTemplate()
                └─> StringSubstitutor.replace() ⚠️ VULNERABLE

Chain 3: Customer Notification

CustomerController.sendNotification(id, messageTemplate)
    └─> CustomerService.sendCustomNotification()
        └─> CustomerRepository.formatNotification()
            └─> TemplateProcessor.formatMessage()
                └─> StringSubstitutor.replace() ⚠️ VULNERABLE

Chain 4: Order Processing

OrderController.processNotes(id, notesTemplate)
    └─> OrderService.processSpecialOrderNotes()
        └─> OrderRepository.processOrderNotes()
            └─> TemplateProcessor.processTemplateWithDefaults()
                └─> StringSubstitutor.createInterpolator() ⚠️ HIGHLY VULNERABLE

Chain 5: Complex Multi-chain Report

OrderController.getCompleteReport(id)
    └─> OrderService.generateCompleteOrderReport()
        ├─> OrderRepository.generateOrderConfirmation() ───┐
        ├─> CustomerRepository.generateWelcomeMessage() ───┼─> All lead to
        └─> PetRepository.generatePetDescription() ────────┘   StringSubstitutor ⚠️

Building the Project

Prerequisites

• Java 11 or higher
• Maven 3.6 or higher

Build Commands

# Build all modules
mvn clean install

# Build without tests
mvn clean install -DskipTests

# Run the application
cd petstore-api
mvn exec:java -Dexec.mainClass="com.petstore.api.PetStoreApplication"

Running the Application

# From project root
cd petstore-api\target
java -jar petstore-api-1.0-SNAPSHOT.jar

# Or using Maven
mvn -pl petstore-api exec:java

Testing with Static Analyzer

Expected Detections

The static analyzer should detect:

1. Vulnerable Dependency

   • Apache Commons Text 1.9 (CVE-2022-42889)

2. Vulnerable Usage Points (at minimum):

   • TemplateProcessor.processTemplate()
   • TemplateProcessor.processTemplateWithDefaults()
   • TemplateProcessor.formatMessage()

3. Entry Points with Vulnerable Chains:

   • PetController.createCustomListing() - User-controlled template
   • CustomerController.sendNotification() - User-controlled template
   • OrderController.processNotes() - User-controlled template (most dangerous)
   • OrderController.getCompleteReport() - Complex multi-chain

4. Data Flow Analysis:

   • Track user input (customFormat, messageTemplate, notesTemplate)
   • Follow through service layer
   • Identify repository calls
   • Trace to vulnerable StringSubstitutor

Key Features for Analyzer Testing

1. Multi-Module Architecture

Tests analyzer's ability to track dependencies across Maven modules.

2. Method Chaining

Multiple levels of method calls before reaching vulnerable code.

3. User-Controlled Input

Several endpoints accept user-provided templates that flow to vulnerable code.

4. Complex Call Graphs

Multiple paths and branches leading to the same vulnerable dependency.

5. Loop Structures

Batch processing methods that call vulnerable code in loops.

6. Multiple Entry Points

Various API endpoints that all lead to the vulnerability through different paths.

Security Notes

⚠️ WARNING: This application contains intentional security vulnerabilities.

• DO NOT deploy to production
• DO NOT expose to untrusted networks
• USE ONLY for security testing and research
• ALWAYS run in isolated environments

License

This is a test application for security research purposes only.

Contact

For questions about this test application, please refer to the project documentation.