Semgrep Registry - java.jboss.security.seam-log-injection.seam-log-injection

Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.

Defintion

Open in Playground

rules:
  - id: seam-log-injection
    patterns:
      - pattern: |
          $LOG.$INFO($X + $Y,...)
      - pattern-either:
          - pattern-inside: |
              import org.jboss.seam.log.Log;
              ...
          - pattern-inside: |
              org.jboss.seam.log.Log $LOG = ...;
              ...
      - metavariable-regex:
          metavariable: $INFO
          regex: (debug|error|fatal|info|trace|warn)
    languages:
      - java
    message: Seam Logging API support an expression language to introduce bean
      property to log messages. The expression language can also be the source
      to unwanted code execution. In this context, an expression is built with a
      dynamic value. The source of the value(s) should be verified to avoid that
      unfiltered values fall into this risky code evaluation.
    metadata:
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      owasp:
        - A03:2021 - Injection
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SEAM_LOG_INJECTION
      category: security
      technology:
        - jboss
      confidence: LOW
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    severity: ERROR

package com.company.util; import java.io.IOException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.Enumeration; import java.util.List; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.jboss.seam.log.Logging; import org.jboss.seam.log.Log; public class HttpRequestDebugFilter implements Filter { Log log = Logging.getLog(HttpRequestDebugFilter.class); public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (request instanceof HttpServletRequest) { HttpServletRequest httpRequest = (HttpServletRequest)request; if (httpRequest.getRequestURI().endsWith(".seam")) { // ruleid: seam-log-injection log.info("request: method="+httpRequest.getMethod()+", URL="+httpRequest.getRequestURI()); } } chain.doFilter(request, response); } public void logUser(User user) { // ruleid: seam-log-injection log.info("Current logged in user : " + user.getUsername()); } public void logUser(User user) { // ok: seam-log-injection log.info("Current logged in user : #0", user.getUsername()); } }

java.jboss.security.seam-log-injection.seam-log-injection

Run Locally

Run in CI

Defintion

Examples

seam-log-injection.java