Java: CWE-094 Rhino code injection #5802
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
luchua-bc
force-pushed
the
java/rhino-injection
branch
from
318545e to
2567979
Compare
1 task
Marcono1234
reviewed
May 2, 2021
There was a problem hiding this comment.
Maybe the following Scripting API methods might be interesting as well:
Compilable.compile
If a script is compiled, it is very likely that the application later executes it. Therefore this might allow remote code execution as well.ScriptEngineFactory.getProgram
If an application gets the program script, it is likely that it later executes that script as well.ScriptEngineFactory.getMethodCallSyntax
Not completely sure about this one, but maybe it can be misused for remote code execution as well (possibly by providing maliciousargsvalues, or in case the other arguments are not properly validated and allow code injection); with the same rationale as above: If an application uses this method, it is likely that is executes its result later on.
For Rhino maybe the following is interesting as well:
ClassCompiler.compileToClassFilesGeneratedClassLoader.defineClass
Not directly related to scripting, but maybe interesting nonetheless.Context:
However, I am not a member of this project, so feel free to consider this only as suggestion. The maintainers will probably give you more in depth feedback.
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
|
Thanks @Marcono1234 for reviewing this PR. I just submitted another PR and will make requested changes to this one in the next two days. |
|
All requested changes have been made. Please review. |
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
luchua-bc
force-pushed
the
java/rhino-injection
branch
from
aa2925d to
5d282d2
Compare
wood14
previously approved these changes
May 5, 2021
smowton
reviewed
May 11, 2021
java/ql/src/experimental/Security/CWE/CWE-094/RhinoInjection.java
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
|
Thanks @smowton for reviewing this PR. I've made all requested changes. Please review again. |
Marcono1234
reviewed
May 14, 2021
luchua-bc
force-pushed
the
java/rhino-injection
branch
from
1480696 to
d85df6e
Compare
smowton
reviewed
May 14, 2021
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
smowton
reviewed
May 17, 2021
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
smowton
reviewed
May 17, 2021
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.qhelp
Outdated
Show resolved
Hide resolved
smowton
reviewed
May 18, 2021
java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
Outdated
Show resolved
Hide resolved
smowton
previously approved these changes
May 18, 2021
|
Needs rebase |
luchua-bc
force-pushed
the
java/rhino-injection
branch
from
465a64c to
02aa9c6
Compare
|
@smowton I've done the rebase. Please merge again. Thanks. |
smowton
approved these changes
May 18, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Rhino is a JavaScript engine written fully in Java and managed by the Mozilla Foundation.
It serves as an embedded scripting engine inside Java applications which allows
Java-to-JavaScript interoperability and provides a seamless integration between the two
languages. If an expression is built using attacker-controlled data, and then evaluated in
a powerful context, it may allow the attacker to run arbitrary code.
Typically an expression is evaluated in the powerful context initialized with
initStandardObjectsthat allows an expression of arbitrary Java code toexecute in the JVM.
The query detects unsafe usage of Rhino expressions. Please consider to merge the PR. Thanks.