java.jax-rs.security.insecure-resteasy.default-resteasy-provider-abuse
semgrepAuthor
5,552
Download Count*
License
When a Restful webservice endpoint isn't configured with a @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution. Instead, add a @Consumes annotation to the function or class.
Run Locally
Run in CI
Defintion
rules:
- id: default-resteasy-provider-abuse
message: When a Restful webservice endpoint isn't configured with a @Consumes
annotation, an attacker could abuse the SerializableProvider by sending a
HTTP Request with a Content-Type of application/x-java-serialized-object.
The body of that request would be processed by the SerializationProvider
and could contain a malicious payload, which may lead to arbitrary code
execution. Instead, add a @Consumes annotation to the function or class.
severity: WARNING
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
cwe:
- "CWE-502: Deserialization of Untrusted Data"
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
references:
- https://access.redhat.com/blogs/766093/posts/3162112
subcategory:
- audit
technology:
- jax-rs
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- "Insecure Deserialization "
languages:
- java
patterns:
- pattern: |
@Path("...")
public $RETURNTYPE $METHOD(...) { ...}
- pattern-not-inside: |
@GET
public $RETURNTYPE $METHOD(...) { ...}
- pattern-not-inside: |
@Path("...")
@Consumes(...)
public $RETURNTYPE $METHOD(...) { ...}
- pattern-not-inside: |
@Consumes(...)
public class $CLASSNAME { ... }
Examples
insecure-resteasy.java
package unsafe.jaxrs;
import java.util.*;
import javax.ws.rs.*;
import javax.ws.rs.core.*;
@Path("/")
public class PoC_resource {
@POST
@Path("/concat")
@Produces(MediaType.APPLICATION_JSON)
// ruleid: insecure-resteasy-deserialization
@Consumes({ "*/*" })
public Map<String, String> doConcat(Pair pair) {
HashMap<String, String> result = new HashMap<String, String>();
result.put("Result", pair.getP1() + pair.getP2());
return result;
}
// ruleid:default-resteasy-provider-abuse
@POST
@Path("/vulnerable")
@Produces(MediaType.APPLICATION_JSON)
public Map<String, String> doConcat(Pair pair) {
HashMap<String, String> result = new HashMap<String, String>();
result.put("Result", pair.getP1() + pair.getP2());
return result;
}
@POST
@Path("/count")
@Produces(MediaType.APPLICATION_JSON)
// ok: insecure-resteasy-deserialization
@Consumes(MediaType.APPLICATION_JSON)
public Map<String, Integer> doCount(ArrayList<Object> elements) {
HashMap<String, Integer> result = new HashMap<String, Integer>();
result.put("Result", elements.size());
return result;
}
// ok: default-resteasy-provider-abuse
@GET
@Path("/tenantmode")
@Produces(MediaType.TEXT_PLAIN)
public String getTenantMode() {
return kubernetesService.getMessage();
}
}
@Path("/")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public class PoC_resource {
// ok: default-resteasy-provider-abuse
@POST
@Path("/concat")
public Map<String, String> doConcat(Pair pair) {
HashMap<String, String> result = new HashMap<String, String>();
result.put("Result", pair.getP1() + pair.getP2());
return result;
}
}
Short Link: https://sg.run/jNRD