feat(java): add EL injection rule (#200)

Bearer · Jan 29, 2024 · 8156e6c · 8156e6c
1 parent 1fb29e9
commit 8156e6c
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 0 deletions.
diff --git a/rules/java/lang/expression_language_injection.yml b/rules/java/lang/expression_language_injection.yml
@@ -0,0 +1,56 @@
+imports:
+  - java_shared_lang_instance
+  - java_shared_lang_user_input
+patterns:
+  - pattern: $<EXPRESSION_FACTORY>.$<METHOD>($<EL_CONTEXT>, $<STRING_PARAM>$<...>);
+    filters:
+      - variable: EXPRESSION_FACTORY
+        detection: java_shared_lang_instance
+        scope: cursor
+        filters:
+          - variable: JAVA_SHARED_LANG_INSTANCE_TYPE
+            regex: \A(javax\.el\.)?ExpressionFactory\z
+      - variable: METHOD
+        values:
+          - createValueExpression
+          - createMethodExpression
+      - variable: EL_CONTEXT
+        detection: java_shared_lang_instance
+        scope: cursor
+        filters:
+          - variable: JAVA_SHARED_LANG_INSTANCE_TYPE
+            regex: \A(javax\.el\.)?ELContext\z
+      - variable: STRING_PARAM
+        detection: java_lang_expression_language_injection_string_method_arg
+auxiliary:
+  - id: java_lang_expression_language_injection_string_method_arg
+    patterns:
+      - pattern: |
+          class $<...>$<_> $<...>{
+            $<...>$<_> $<_>($<...>$<JAVA_SHARED_LANG_INSTANCE_TYPE> $<JAVA_SHARED_LANG_INSTANCE_VARIABLE>$<...>)$<...>{}
+          }
+        focus: JAVA_SHARED_LANG_INSTANCE_VARIABLE
+        filters:
+          - variable: JAVA_SHARED_LANG_INSTANCE_TYPE
+            regex: \A(java\.lang\.)?String\z
+languages:
+  - java
+severity: warning
+metadata:
+  description: "Possible expression language (EL) injection detected."
+  remediation_message: |
+    ## Description
+
+    Using external input when building an expression language (EL) statement can lead to EL injection attacks and the evaluation of risky code.
+
+    ## Remediations
+
+    ✅ Always validate the source of external input or dynamic values before using them to construct EL statements
+
+    ## Resources
+    - [OWASP Expression Language Injection](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)
+  cwe_id:
+    - 917
+    - 94
+  id: java_lang_expression_language_injection
+  documentation_url: https://docs.bearer.com/reference/rules/java_lang_expression_language_injection
diff --git a/tests/java/lang/expression_language_injection/test.js b/tests/java/lang/expression_language_injection/test.js
@@ -0,0 +1,18 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("expression_language_injection", () => {
+    const testCase = "main.java"
+
+    const results = invoke(testCase)
+
+    expect(results.Missing).toEqual([])
+    expect(results.Extra).toEqual([])
+  })
+})
diff --git a/tests/java/lang/expression_language_injection/testdata/main.java b/tests/java/lang/expression_language_injection/testdata/main.java
@@ -0,0 +1,30 @@
+import javax.el.*;
+
+public class ELInjection {
+
+    public String bad(String externalInput) {
+        ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
+        ELContext elContext = context.getELContext();
+
+        // bearer:expected java_lang_expression_language_injection
+        ValueExpression valueExp = expressionFactory.createValueExpression(elContext, externalInput, String.class);
+        // bearer:expected java_lang_expression_language_injection
+        ValueExpression valueExp = expressionFactory.createValueExpression(elContext, externalInput);
+        // bearer:expected java_lang_expression_language_injection
+        MethodExpression methodExp = expressionFactory.createMethodExpression(elContext, externalInput, String.class, null);
+
+        return (String) valEx.getValue(elContext);
+    }
+
+    public MethodInfo methodExpr(String expression) {
+        FacesContext context = FacesContext.getCurrentInstance();
+        ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
+        ELContext elContext = context.getELContext();
+
+        // ok
+        String safe = "hello world";
+        MethodExpression ex = expressionFactory.createMethodExpression(elContext, safe, String.class, null);
+        return ex.getMethodInfo(elContext);
+    }
+
+}