Skip to content

Commit

Permalink
feat(java): add rule for spring ui model
Browse files Browse the repository at this point in the history
  • Loading branch information
gotbadger committed Jul 31, 2024
1 parent 74423b4 commit 9974a0b
Show file tree
Hide file tree
Showing 3 changed files with 94 additions and 0 deletions.
55 changes: 55 additions & 0 deletions rules/java/spring/model_reflected_xss.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
imports:
- java_shared_lang_external_input
- java_shared_lang_instance
patterns:
- pattern: |
$<MODEL_INSTANCE>.addAttribute($<_>, $<USER_INPUT>);
filters:
- variable: MODEL_INSTANCE
detection: java_shared_lang_instance
scope: cursor
filters:
- variable: JAVA_SHARED_LANG_INSTANCE_TYPE
regex: \A(org\.springframework\.ui\.)?Model\z
- variable: USER_INPUT
detection: java_spring_model_reflected_xss_unsanitized_input
scope: cursor
auxiliary:
- id: java_spring_model_reflected_xss_unsanitized_input
patterns:
- pattern: $<USER_INPUT>;
filters:
- variable: USER_INPUT
detection: java_shared_lang_external_input
scope: cursor_strict
- not:
variable: USER_INPUT
detection: java_spring_model_reflected_xss_request_url_string
- id: java_spring_model_reflected_xss_request_url_string
patterns:
- pattern: $<_>.getRequestURL().toString();

languages:
- java
metadata:
description: "Unsanitized request data in spring UI model (XSS)"
remediation_message: |-
## Description
Cross-site scripting (XSS) vulnerabilities occur when unsanitized user input is included in web page content. This flaw can lead to malicious scripts being executed in the context of the user's browser, compromising the security of user data and interactions with the application.
## Remediations
- **Do** validate the input before adding it to the UI model.
- **Do** sanitize user input to remove or neutralize unwanted scripts.
## References
- [OWASP XSS Prevention Cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
- [OWASP Java Encoder](https://owasp.org/www-project-java-encoder/)
- [Spring HtmlUtils](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/HtmlUtils.html)
cwe_id:
- 79
id: "java_spring_model_reflected_xss"
documentation_url: https://docs.bearer.com/reference/rules/java_spring_model_reflected_xss
severity: high
19 changes: 19 additions & 0 deletions tests/java/spring/model_reflected_xss/test.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
const {
createNewInvoker,
getEnvironment,
} = require("../../../helper.js")
const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)

describe(ruleId, () => {
const invoke = createNewInvoker(ruleId, ruleFile, testBase)


test("main", () => {
const testCase = "main.java"

const results = invoke(testCase)

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})
})
20 changes: 20 additions & 0 deletions tests/java/spring/model_reflected_xss/testdata/main.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
package com.example.model.xss;

import org.springframework.ui.Model;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;

@Controller
public class LoginController {

@PostMapping("/updateUser")
public String updateUser(@RequestParam(name = "bad") String bad, Model model) {
// bearer:expected java_spring_model_reflected_xss
model.addAttribute("displayname", bad);
}

@PostMapping("/submit")
public String updateUser(@RequestParam(id = "id") String id, Model model) {
model.addAttribute("selected", Integer.parseInt(id));
}
}

0 comments on commit 9974a0b

Please sign in to comment.