Java: CWE-489 Query to detect main() method in servlets

[luchua-bc]

A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. The most common example of forgotten debug code is a main() method appearing in a web application.

When this sort of debug code is accidentally left in the application, the application is open to unintended modes of interaction. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.

This type of vulnerabilities is categorized as CWE-489: Active Debug Code.

This query detects the implementation of a main method in Java EE components including servlets, filters and listeners. Please consider to merge the PR.

Thanks,
@luchua-bc

[intrigus-lgtm]

I'm not really familiar with Java EE but why is this a problem?
I've looked at the references but I'm not wiser than before.

Having a main method in a web application increases the attack surface that an attacker can exploit to attack the application logic.

If I understand it right, the main method will never be executed in the context of a servlet?
So how would an attacker profit from the main method if it is never executed?

[luchua-bc]

Hi @intrigus-lgtm,

The main method in a servlet will not be executed by the servlet container automatically, therefore it is useless and is leftover debug code. However, it can be invoked by other classes running in the same servlet container/Java Virtual Machine just like any regular Java program. Therefore it increases the attack surface.

If the main method cannot be invoked, developers will never implement such a method to help develop and debug the web application.

A simple example is that a servlet defines a static attribute:

private static final bool DEBUG = False;

Then the main method sets the flag to True thus enables features and business logics not supposed to be available in production.

Also leaving main in servlets is a good indicator that the application highly probably has other debug code left in the application, which requires awareness from developers.

To address this issue, either the main method can be removed from servlet classes or the code can be moved to separate test case programs that are not packaged in the production bundle (EAR or WAR file).

Hope this answers your question.

@luchua-bc

[tamasvajk]

I added one last change request that should help in maintainability. Otherwise it looks good to me.

[tamasvajk]

@luchua-bc Thank you for this contribution.