-
Notifications
You must be signed in to change notification settings - Fork 1.5k
/
Log4jJndiInjection.ql
58 lines (49 loc) · 2.03 KB
/
Log4jJndiInjection.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
/**
* @name Potential Log4J LDAP JNDI injection (CVE-2021-44228)
* @description Building Log4j log entries from user-controlled data may allow
* attackers to inject malicious code through JNDI lookups when
* using Log4J versions vulnerable to CVE-2021-44228.
* @kind path-problem
* @problem.severity error
* @precision high
* @id java/log4j-injection
* @tags security
* experimental
* external/cwe/cwe-020
* external/cwe/cwe-074
* external/cwe/cwe-400
* external/cwe/cwe-502
*/
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.security.Sanitizers
import Log4jInjectionFlow::PathGraph
private class ActivateModels extends ActiveExperimentalModels {
ActivateModels() { this = "log4j-injection" }
}
/** A data flow sink for unvalidated user input that is used to log messages. */
class Log4jInjectionSink extends DataFlow::Node {
Log4jInjectionSink() { sinkNode(this, "log4j") }
}
/**
* A node that sanitizes a message before logging to avoid log injection.
*/
class Log4jInjectionSanitizer extends DataFlow::Node instanceof SimpleTypeSanitizer { }
/**
* A taint-tracking configuration for tracking untrusted user input used in log entries.
*/
module Log4jInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof Log4jInjectionSink }
predicate isBarrier(DataFlow::Node node) { node instanceof Log4jInjectionSanitizer }
}
/**
* Taint-tracking flow for tracking untrusted user input used in log entries.
*/
module Log4jInjectionFlow = TaintTracking::Global<Log4jInjectionConfig>;
from Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink
where Log4jInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Log4j log entry depends on a $@.", source.getNode(),
"user-provided value"