java.lang.security.audit.el-injection.el-injection
Community Favorite
semgrepAuthor
37,799
Download Count*
License
An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.
Run Locally
Run in CI
Defintion
rules:
- id: el-injection
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION
category: security
technology:
- java
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
message: An expression is built with a dynamic value. The source of the value(s)
should be verified to avoid that unfiltered values fall into this risky
code evaluation.
severity: WARNING
languages:
- java
patterns:
- pattern-either:
- pattern: |
class $CLASS {
...
ExpressionFactory $EF;
...
$X $METHOD(...) {
...
$EF.createValueExpression($CTX,$INPUT,...);
...
}
...
}
- pattern: |
class $CLASS {
...
ExpressionFactory $EF = ...;
...
$X $METHOD(...) {
...
$EF.createValueExpression($CTX,$INPUT,...);
...
}
...
}
- pattern: |
$X $METHOD(...) {
...
ExpressionFactory $EF = ...;
...
$EF.createValueExpression($CTX,$INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ExpressionFactory $EF,...) {
...
$EF.createValueExpression($CTX,$INPUT,...);
...
}
- pattern: |
class $CLASS {
...
ExpressionFactory $EF;
...
$X $METHOD(...) {
...
$EF.createMethodExpression($CTX,$INPUT,...);
...
}
...
}
- pattern: |
class $CLASS {
...
ExpressionFactory $EF = ...;
...
$X $METHOD(...) {
...
$EF.createMethodExpression($CTX,$INPUT,...);
...
}
...
}
- pattern: |
$X $METHOD(...) {
...
ExpressionFactory $EF = ...;
...
$EF.createMethodExpression($CTX,$INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ExpressionFactory $EF,...) {
...
$EF.createMethodExpression($CTX,$INPUT,...);
...
}
- pattern: |
$X $METHOD(String $INPUT, ...) {
...
$OBJECT.buildConstraintViolationWithTemplate($INPUT, ...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$EF.createValueExpression($CTX,"...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$EF.createValueExpression($CTX,$S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$EF.createMethodExpression($CTX,"...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$EF.createMethodExpression($CTX,$S,...);
...
}
Examples
el-injection.java
package testcode.script;
import javax.el.ELContext;
import javax.el.ExpressionFactory;
import javax.el.ValueExpression;
import javax.faces.context.FacesContext;
public class ElExpressionSample {
// ruleid: el-injection
public void unsafeEL(String expression) {
FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
ValueExpression vex = expressionFactory.createValueExpression(elContext, expression, String.class);
String result = (String) vex.getValue(elContext);
System.out.println(result);
}
// ok: el-injection
public void safeEL() {
FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
ValueExpression vex = expressionFactory.createValueExpression(elContext, "1+1", String.class);
String result = (String) vex.getValue(elContext);
System.out.println(result);
}
// ruleid: el-injection
public void unsafeELMethod(ELContext elContext,ExpressionFactory expressionFactory, String expression) {
expressionFactory.createMethodExpression(elContext, expression, String.class, new Class[]{Integer.class});
}
//ok: el-injection
public void safeELMethod(ELContext elContext,ExpressionFactory expressionFactory) {
expressionFactory.createMethodExpression(elContext, "1+1", String.class,new Class[] {Integer.class});
}
//ruleid: el-injection
private void unsafeELTemplate(String message, ConstraintValidatorContext context) {
context.disableDefaultConstraintViolation();
context
.someMethod()
.buildConstraintViolationWithTemplate(message)
.addConstraintViolation();
}
//ok: el-injection
private void safeELTemplate(String message, ConstraintValidatorContext context) {
context.disableDefaultConstraintViolation();
context
.someMethod()
.buildConstraintViolationWithTemplate("somestring")
.addConstraintViolation();
}
}
Short Link: https://sg.run/x1wp