Skip to content

CodeQL query to detect OGNL injections #3294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 30, 2020
Merged

CodeQL query to detect OGNL injections #3294

merged 4 commits into from
Jun 30, 2020

Conversation

ggolawski
Copy link
Contributor

@ggolawski ggolawski commented Apr 19, 2020
edited
Loading

This PR adds a query to detect OGNL injections. It flags the code where user-provided OGNL expression is evaluated (getValue, setValue and callMethod in the below examples):

public void testOgnlParseExpression(@RequestParam String expr) throws Exception {
    Object tree = Ognl.parseExpression(expr);
    Ognl.getValue(tree, new HashMap<>(), new Object());
    Ognl.setValue(tree, new HashMap<>(), new Object());

    Node node = (Node) tree;
    node.getValue(null, new Object());
    node.setValue(null, new Object(), new Object());
  }

  public void testOgnlCompileExpression(@RequestParam String expr) throws Exception {
    Node tree = Ognl.compileExpression(null, new Object(), expr);
    Ognl.getValue(tree, new HashMap<>(), new Object());
    Ognl.setValue(tree, new HashMap<>(), new Object());

    tree.getValue(null, new Object());
    tree.setValue(null, new Object(), new Object());
  }

  public void testOgnlDirectlyToGetSet(@RequestParam String expr) throws Exception {
    Ognl.getValue(expr, new Object());
    Ognl.setValue(expr, new HashMap<>(), new Object());
  }

  public void testStruts(@RequestParam String expr) throws Exception {
    OgnlUtil ognl = new OgnlUtil();
    ognl.getValue(expr, new HashMap<>(), new Object());
    ognl.setValue(expr, new HashMap<>(), new Object(), new Object());
    new OgnlUtil().callMethod(expr, new HashMap<>(), new Object());
  }

Evaluation of unvalidated expressions can let attacker to modify Java objects' properties or execute arbitrary code.

The tests and required qlpack.yml in src/experimental and test/experimental are also included.

@ggolawski ggolawski requested review from felicitymay and a team as code owners April 19, 2020 18:40
@ggolawski ggolawski mentioned this pull request Apr 19, 2020
Closed
1 task
Marcono1234
Marcono1234 reviewed Jun 16, 2020
View reviewed changes
@ggolawski ggolawski requested a review from a team as a code owner June 27, 2020 16:30
@aschackmull aschackmull merged commit 13cb853 into github:master Jun 30, 2020
@ggolawski ggolawski deleted the ognl-injection branch July 13, 2020 18:44
@atorralba atorralba mentioned this pull request May 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschackmull aschackmull aschackmull approved these changes

@felicitymay felicitymay Awaiting requested review from felicitymay

+1 more reviewer

@Marcono1234 Marcono1234 Marcono1234 left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ggolawski @Marcono1234 @aschackmull