From aef3fbe2ec7a09d41aed18fed0e41d20b2df3c6a Mon Sep 17 00:00:00 2001 From: elsapet Date: Fri, 9 Feb 2024 14:45:41 +0200 Subject: [PATCH] feat(java): vulnerable Apache commons collection version and InvokerTransformer --- rules/java/lang/apache_commons_collection.yml | 31 +++++++++++++++++++ .../lang/apache_commons_collection/test.js | 18 +++++++++++ .../testdata/insecure/main.java | 9 ++++++ .../testdata/insecure/maven-dependencies.json | 10 ++++++ 4 files changed, 68 insertions(+) create mode 100644 rules/java/lang/apache_commons_collection.yml create mode 100644 tests/java/lang/apache_commons_collection/test.js create mode 100644 tests/java/lang/apache_commons_collection/testdata/insecure/main.java create mode 100644 tests/java/lang/apache_commons_collection/testdata/insecure/maven-dependencies.json diff --git a/rules/java/lang/apache_commons_collection.yml b/rules/java/lang/apache_commons_collection.yml new file mode 100644 index 000000000..7cd79cbd1 --- /dev/null +++ b/rules/java/lang/apache_commons_collection.yml @@ -0,0 +1,31 @@ +patterns: + - pattern: new $(); + filters: + - variable: INVOKER_TRANSFORMER + regex: \A(org\.apache\.commons\.collections\.functors\.)?InvokerTransformer\z +dependency_check: true +dependency: + name: commons-collections3 + min_version: 3.2.2 + filename: maven-dependencies.json +languages: + - java +metadata: + description: Usage of vulnerable Apache Commons Collections 3 class (InvokeTransformer) + remediation_message: | + ## Description + + The InvokeTransformer class has known security vulnerabilities for versions of Apache Commons Collections older than 3.2.2; + namely, the class is vulnerable to remote code execution when deserializing data. + + ## Remediations + + ✅ Upgrade Apache Commons Collections 3 to version 3.2.2 or above + + ## References + + - [Apache Commons Collections 3.2.2](https://commons.apache.org/proper/commons-collections/security-reports.html) + cwe_id: + - 1395 + id: java_lang_apache_commons_collection + documentation_url: https://docs.bearer.com/reference/rules/java_lang_apache_commons_collection diff --git a/tests/java/lang/apache_commons_collection/test.js b/tests/java/lang/apache_commons_collection/test.js new file mode 100644 index 000000000..5089fc8b9 --- /dev/null +++ b/tests/java/lang/apache_commons_collection/test.js @@ -0,0 +1,18 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("apache_commons_collection", () => { + const testCase = "insecure/" + + const results = invoke(testCase) + + expect(results.Missing).toEqual([]) + expect(results.Extra).toEqual([]) + }) +}) \ No newline at end of file diff --git a/tests/java/lang/apache_commons_collection/testdata/insecure/main.java b/tests/java/lang/apache_commons_collection/testdata/insecure/main.java new file mode 100644 index 000000000..c56b7b771 --- /dev/null +++ b/tests/java/lang/apache_commons_collection/testdata/insecure/main.java @@ -0,0 +1,9 @@ +import org.apache.commons.collections3; + +public class Foo { + public static void bad(String[] args) throws Exception { + // bearer:expected java_lang_apache_commons_collection + InvokerTransformer transformer = new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"}); + Object result = transformer.transform(null); + } +} diff --git a/tests/java/lang/apache_commons_collection/testdata/insecure/maven-dependencies.json b/tests/java/lang/apache_commons_collection/testdata/insecure/maven-dependencies.json new file mode 100644 index 000000000..3a71e3f20 --- /dev/null +++ b/tests/java/lang/apache_commons_collection/testdata/insecure/maven-dependencies.json @@ -0,0 +1,10 @@ +[{ + "groupId": "org.apache.commons", + "artifactId": "commons-collections3", + "version": "3.2.0" +}, +{ + "groupId": "test1", + "artifactId": "testartifact1", + "version": "1.0.beta" +}] \ No newline at end of file