From 0b546076f5144fcdd8cfb1359502db6a594cd744 Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 29 Jan 2024 15:30:57 +0200 Subject: [PATCH] feat(java): add SQL external config rule --- rules/java/lang/external_config_control.yml | 39 +++++++++++++++++++ .../java/lang/external_config_control/test.js | 18 +++++++++ .../testdata/main.java | 29 ++++++++++++++ 3 files changed, 86 insertions(+) create mode 100644 rules/java/lang/external_config_control.yml create mode 100644 tests/java/lang/external_config_control/test.js create mode 100644 tests/java/lang/external_config_control/testdata/main.java diff --git a/rules/java/lang/external_config_control.yml b/rules/java/lang/external_config_control.yml new file mode 100644 index 000000000..b7bcf5c43 --- /dev/null +++ b/rules/java/lang/external_config_control.yml @@ -0,0 +1,39 @@ +imports: + - java_shared_lang_instance + - java_shared_lang_user_input +patterns: + - pattern: | + $.setCatalog($); + filters: + - variable: SQL_CONN + detection: java_shared_lang_instance + scope: cursor + filters: + - variable: JAVA_SHARED_LANG_INSTANCE_TYPE + regex: \A(java\.sql\.)?Connection\z + - variable: USER_INPUT + detection: java_shared_lang_user_input + scope: cursor +languages: + - java +severity: warning +metadata: + description: "User input in SQL Connection setCatalog detected." + remediation_message: | + ## Description + + It is bad security practice to use unsanitized user input when configuring a SQL Connection's catalog. + This could allow an attacker to provide their own catalog name to the setCatalog method call, resulting in unexpected or malicious application behaviour. + + ## Remediations + + ❌ Avoid Direct User Input + + Do not use user-supplied information when setting the catalog for your SQL database + + ## Resources + - [Java SQL Connection](https://docs.oracle.com/en/java/javase/21/docs/api/java.sql/java/sql/Connection.html) + cwe_id: + - 15 + id: java_lang_external_config_control + documentation_url: https://docs.bearer.com/reference/rules/java_lang_external_config_control diff --git a/tests/java/lang/external_config_control/test.js b/tests/java/lang/external_config_control/test.js new file mode 100644 index 000000000..06f2cee72 --- /dev/null +++ b/tests/java/lang/external_config_control/test.js @@ -0,0 +1,18 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("external_config_control", () => { + const testCase = "main.java" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) +}) \ No newline at end of file diff --git a/tests/java/lang/external_config_control/testdata/main.java b/tests/java/lang/external_config_control/testdata/main.java new file mode 100644 index 000000000..adccee205 --- /dev/null +++ b/tests/java/lang/external_config_control/testdata/main.java @@ -0,0 +1,29 @@ +// Use bearer:expected java_lang_external_config_control to flag expected findings +package unsafe; + +import javax.servlet.http.HttpServletRequest; +import java.sql.Connection; +import java.sql.SQLException; + +public class Connect { + private HttpServletRequest globalRequest; + private Connection globalConn; + + public static void bad(Connection conn, HttpServletRequest request) throws SQLException { + var foo = request.getParameter("foo"); + // bearer:expected java_lang_external_config_control + conn.setCatalog(foo); + } + + public void bad2() throws SQLException { + String bar = globalRequest.getParameter("bar"); + // bearer:expected java_lang_external_config_control + globalConn.setCatalog(bar); + } + + public static void ok(Connection conn, HttpServletRequest request) throws SQLException { + var baz = org.apache.commons.text.StringEscapeUtils.unescapeJava(request.getParameter("baz")); + conn.setCatalog(baz); + globalConn.setCatalog("known"); + } +}