java.lang.security.audit.el-injection.el-injection

Community Favorite
profile photo of returntocorpreturntocorp
Author
37,799
Download Count*
LGPL Commons Clause
License

An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: el-injection
    metadata:
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      owasp:
        - A03:2021 - Injection
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: An expression is built with a dynamic value. The source of the value(s)
      should be verified to avoid that unfiltered values fall into this risky
      code evaluation.
    severity: WARNING
    languages:
      - java
    patterns:
      - pattern-either:
          - pattern: |
              class $CLASS {
                ...
                ExpressionFactory $EF;
                ...
                $X $METHOD(...) {
                  ...
                  $EF.createValueExpression($CTX,$INPUT,...);
                  ...
                }
                ...
              }
          - pattern: |
              class $CLASS {
                ...
                ExpressionFactory $EF = ...;
                ...
                $X $METHOD(...) {
                  ...
                  $EF.createValueExpression($CTX,$INPUT,...);
                  ...
                }
                ...
              }
          - pattern: |
              $X $METHOD(...) {
                ...
                ExpressionFactory $EF = ...;
                ...
                $EF.createValueExpression($CTX,$INPUT,...);
                ...
              }
          - pattern: |
              $X $METHOD(...,ExpressionFactory $EF,...) {
                ...
                $EF.createValueExpression($CTX,$INPUT,...);
                ...
              }
          - pattern: |
              class $CLASS {
                ...
                ExpressionFactory $EF;
                ...
                $X $METHOD(...) {
                  ...
                  $EF.createMethodExpression($CTX,$INPUT,...);
                  ...
                }
                ...
              }
          - pattern: |
              class $CLASS {
                ...
                ExpressionFactory $EF = ...;
                ...
                $X $METHOD(...) {
                  ...
                  $EF.createMethodExpression($CTX,$INPUT,...);
                  ...
                }
                ...
              }
          - pattern: |
              $X $METHOD(...) {
                ...
                ExpressionFactory $EF = ...;
                ...
                $EF.createMethodExpression($CTX,$INPUT,...);
                ...
              }
          - pattern: |
              $X $METHOD(...,ExpressionFactory $EF,...) {
                ...
                $EF.createMethodExpression($CTX,$INPUT,...);
                ...
              }
          - pattern: |
              $X $METHOD(String $INPUT, ...) {
                ...
                $OBJECT.buildConstraintViolationWithTemplate($INPUT, ...);
                ...
              }
      - pattern-not: |
          $X $METHOD(...) {
            ...
            $EF.createValueExpression($CTX,"...",...);
            ...
          }
      - pattern-not: |
          $X $METHOD(...) {
            ...
            String $S = "...";
            ...
            $EF.createValueExpression($CTX,$S,...);
            ...
          }
      - pattern-not: |
          $X $METHOD(...) {
            ...
            $EF.createMethodExpression($CTX,"...",...);
            ...
          }
      - pattern-not: |
          $X $METHOD(...) {
            ...
            String $S = "...";
            ...
            $EF.createMethodExpression($CTX,$S,...);
            ...
          }

Examples

el-injection.java

package testcode.script;

import javax.el.ELContext;
import javax.el.ExpressionFactory;
import javax.el.ValueExpression;
import javax.faces.context.FacesContext;

public class ElExpressionSample {

    // ruleid: el-injection
    public void unsafeEL(String expression) {
        FacesContext context = FacesContext.getCurrentInstance();
        ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
        ELContext elContext = context.getELContext();
        ValueExpression vex = expressionFactory.createValueExpression(elContext, expression, String.class);
        String result = (String) vex.getValue(elContext);
        System.out.println(result);
    }

    // ok: el-injection
    public void safeEL() {
        FacesContext context = FacesContext.getCurrentInstance();
        ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
        ELContext elContext = context.getELContext();
        ValueExpression vex = expressionFactory.createValueExpression(elContext, "1+1", String.class);
        String result = (String) vex.getValue(elContext);
        System.out.println(result);
    }

    // ruleid: el-injection
    public void unsafeELMethod(ELContext elContext,ExpressionFactory expressionFactory, String expression) {
        expressionFactory.createMethodExpression(elContext, expression, String.class, new Class[]{Integer.class});
    }

    //ok: el-injection
    public void safeELMethod(ELContext elContext,ExpressionFactory expressionFactory) {
        expressionFactory.createMethodExpression(elContext, "1+1", String.class,new Class[] {Integer.class});
    }

    //ruleid: el-injection
    private void unsafeELTemplate(String message, ConstraintValidatorContext context) {
         context.disableDefaultConstraintViolation();
         context
             .someMethod()
             .buildConstraintViolationWithTemplate(message)
             .addConstraintViolation();
    }

    //ok: el-injection
    private void safeELTemplate(String message, ConstraintValidatorContext context) {
         context.disableDefaultConstraintViolation();
         context
             .someMethod()
             .buildConstraintViolationWithTemplate("somestring")
             .addConstraintViolation();
    }
}