feat(java): vulnerable Apache commons collection version and InvokerT…

…ransformer
Bearer · Feb 13, 2024 · aef3fbe · aef3fbe
1 parent 14b2e2d
commit aef3fbe
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 0 deletions.
diff --git a/rules/java/lang/apache_commons_collection.yml b/rules/java/lang/apache_commons_collection.yml
@@ -0,0 +1,31 @@
+patterns:
+  - pattern: new $<INVOKER_TRANSFORMER>();
+    filters:
+      - variable: INVOKER_TRANSFORMER
+        regex: \A(org\.apache\.commons\.collections\.functors\.)?InvokerTransformer\z
+dependency_check: true
+dependency:
+  name: commons-collections3
+  min_version: 3.2.2
+  filename: maven-dependencies.json
+languages:
+  - java
+metadata:
+  description: Usage of vulnerable Apache Commons Collections 3 class (InvokeTransformer)
+  remediation_message: |
+    ## Description
+
+    The InvokeTransformer class has known security vulnerabilities for versions of Apache Commons Collections older than 3.2.2;
+    namely, the class is vulnerable to remote code execution when deserializing data.
+
+    ## Remediations
+
+    ✅ Upgrade Apache Commons Collections 3 to version 3.2.2 or above
+
+    ## References
+
+    - [Apache Commons Collections 3.2.2](https://commons.apache.org/proper/commons-collections/security-reports.html)
+  cwe_id:
+    - 1395
+  id: java_lang_apache_commons_collection
+  documentation_url: https://docs.bearer.com/reference/rules/java_lang_apache_commons_collection
diff --git a/tests/java/lang/apache_commons_collection/test.js b/tests/java/lang/apache_commons_collection/test.js
@@ -0,0 +1,18 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("apache_commons_collection", () => {
+    const testCase = "insecure/"
+
+    const results = invoke(testCase)
+
+    expect(results.Missing).toEqual([])
+    expect(results.Extra).toEqual([])
+  })
+})
diff --git a/tests/java/lang/apache_commons_collection/testdata/insecure/main.java b/tests/java/lang/apache_commons_collection/testdata/insecure/main.java
@@ -0,0 +1,9 @@
+import org.apache.commons.collections3;
+
+public class Foo {
+  public static void bad(String[] args) throws Exception {
+    // bearer:expected java_lang_apache_commons_collection
+    InvokerTransformer transformer = new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"});
+    Object result = transformer.transform(null);
+  }
+}
diff --git a/tests/java/lang/apache_commons_collection/testdata/insecure/maven-dependencies.json b/tests/java/lang/apache_commons_collection/testdata/insecure/maven-dependencies.json
@@ -0,0 +1,10 @@
+[{
+  "groupId": "org.apache.commons",
+  "artifactId": "commons-collections3",
+  "version": "3.2.0"
+},
+{
+  "groupId": "test1",
+  "artifactId": "testartifact1",
+  "version": "1.0.beta"
+}]