Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(java): add dangerous permissions rule (CWE-269) #198

Merged
merged 1 commit into from
Jan 29, 2024
Merged

feat(java): add dangerous permissions rule (CWE-269) #198

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions rules/java/lang/dangerous_permissions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
imports:
- java_shared_lang_instance
patterns:
- pattern: |
$<PERMISSION_COLLECTION>.add($<PERMISSION>);
filters:
- variable: PERMISSION_COLLECTION
detection: java_shared_lang_instance
scope: cursor
filters:
- variable: JAVA_SHARED_LANG_INSTANCE_TYPE
values:
- PermissionCollection
- variable: PERMISSION
detection: java_lang_dangerous_permissions_permissions
auxiliary:
- id: java_lang_dangerous_permissions_permissions
patterns:
- pattern: new RuntimePermission($<CREATE_CLASS_LOADER>);
filters:
- variable: CREATE_CLASS_LOADER
string_regex: \AcreateClassLoader\z
- pattern: new ReflectPermission($<SUPPRESS_ACCESS_CHECKS>);
filters:
- variable: SUPPRESS_ACCESS_CHECKS
string_regex: \AsuppressAccessChecks\z
languages:
- java
severity: warning
metadata:
description: "Granting of dangerous permissions detected."
remediation_message: |
## Description

It is improper privilege management to grant certain permissions, as these can compromise the security of an application.

In this case, granting RuntimePermission of `createClassLoader` puts the application at risk of the unauthorized class loaders being instantiated to load arbitrary classes.
Granting ReflectPermission of `suppressAccessChecks` removes Java language access checks, and risks providing unrestricted access to protected and private class members.

## Remediations

❌ Do not grant RuntimePermission("createClassLoader") permission

❌ Do not grant ReflectPermission("suppressAccessChecks") permission

✅ Avoid granting the RuntimePermission of createClassLoader to prevent the instantiation of unauthorized class loaders and the loading of arbitrary classes.
cwe_id:
- 269
id: java_lang_dangerous_permissions
documentation_url: https://docs.bearer.com/reference/rules/java_lang_dangerous_permissions
18 changes: 18 additions & 0 deletions tests/java/lang/dangerous_permissions/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
const {
createNewInvoker,
getEnvironment,
} = require("../../../helper.js")
const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)

describe(ruleId, () => {
const invoke = createNewInvoker(ruleId, ruleFile, testBase)

test("dangerous_permissions", () => {
const testCase = "main.java"

const results = invoke(testCase)

expect(results.Missing).toEqual([])
expect(results.Extra).toEqual([])
})
})
33 changes: 33 additions & 0 deletions tests/java/lang/dangerous_permissions/testdata/main.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
// License: LGPL-3.0 License (c) find-sec-bugs
package perm;
import java.lang.reflect.ReflectPermission;
import java.security.CodeSource;
import java.security.PermissionCollection;
import java.util.ArrayList;
import java.util.List;

public class DangerousPermissions {
public void bad(CodeSource codesource) {
PermissionCollection coll = super.getPermissions(codesource);
// bearer:expected java_lang_dangerous_permissions
coll.add(new ReflectPermission("suppressAccessChecks"));
// bearer:expected java_lang_dangerous_permissions
coll.add(new RuntimePermission("createClassLoader"));
RuntimePermission perm = new RuntimePermission("createClassLoader");
// bearer:expected java_lang_dangerous_permissions
coll.add(perm);
ReflectPermission p = new ReflectPermission("suppressAccessChecks");
// bearer:expected java_lang_dangerous_permissions
coll.add(p);
}

public void ok(CodeSource codesource) {
RuntimePermission permission = new RuntimePermission("createClassLoader");
List<RuntimePermission> list = new ArrayList<>();
list.add(permission);

ReflectPermission perm = new ReflectPermission("newProxyInPackage");
PermissionCollection pc = super.getPermissions(codesource);
pc.add(perm);
}
}
Loading