java.lang.security.audit.ognl-injection.ognl-injection
semgrepAuthor
9,948
Download Count*
License
A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.
Run Locally
Run in CI
Defintion
rules:
- id: ognl-injection
message: A expression is built with a dynamic value. The source of the value(s)
should be verified to avoid that unfiltered values fall into this risky
code evaluation.
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#OGNL_INJECTION
category: security
technology:
- ognl
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
severity: WARNING
languages:
- java
patterns:
- pattern-either:
- pattern: |
$X $METHOD(...,OgnlReflectionProvider $P,...) {
...
$P.getGetMethod($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlReflectionProvider $P,...) {
...
$P.getSetMethod($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlReflectionProvider $P,...) {
...
$P.getField($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlReflectionProvider $P,...) {
...
$P.setProperties($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlReflectionProvider $P,...) {
...
$P.setProperty($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlReflectionProvider $P,...) {
...
$P.getValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlReflectionProvider $P,...) {
...
$P.setValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ReflectionProvider $P,...) {
...
$P.getGetMethod($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ReflectionProvider $P,...) {
...
$P.getSetMethod($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ReflectionProvider $P,...) {
...
$P.getField($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ReflectionProvider $P,...) {
...
$P.setProperties($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ReflectionProvider $P,...) {
...
$P.setProperty($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ReflectionProvider $P,...) {
...
$P.getValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ReflectionProvider $P,...) {
...
$P.setValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,TextParseUtil $P,...) {
...
$P.translateVariables($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,TextParseUtil $P,...) {
...
$P.translateVariablesCollection($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,TextParseUtil $P,...) {
...
$P.shallBeIncluded($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,TextParseUtil $P,...) {
...
$P.commaDelimitedStringToSet($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,TextParser $P,...) {
...
$P.evaluate($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlTextParser $P,...) {
...
$P.evaluate($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlUtil $P,...) {
...
$P.setProperties($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlUtil $P,...) {
...
$P.setProperty($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlUtil $P,...) {
...
$P.getValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlUtil $P,...) {
...
$P.setValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlUtil $P,...) {
...
$P.callMethod($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlUtil $P,...) {
...
$P.compile($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,VelocityStrutsUtil $P,...) {
...
$P.evaluate($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,StrutsUtil $P,...) {
...
$P.isTrue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,StrutsUtil $P,...) {
...
$P.findString($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,StrutsUtil $P,...) {
...
$P.findValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,StrutsUtil $P,...) {
...
$P.getText($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,StrutsUtil $P,...) {
...
$P.translateVariables($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,StrutsUtil $P,...) {
...
$P.makeSelectList($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,OgnlTool $P,...) {
...
$P.findValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ValueStack $P,...) {
...
$P.findString($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ValueStack $P,...) {
...
$P.findValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ValueStack $P,...) {
...
$P.setValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...,ValueStack $P,...) {
...
$P.setParameter($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlReflectionProvider $P = ...;
...
$P.getGetMethod($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlReflectionProvider $P = ...;
...
$P.getSetMethod($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlReflectionProvider $P = ...;
...
$P.getField($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlReflectionProvider $P = ...;
...
$P.setProperties($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlReflectionProvider $P = ...;
...
$P.setProperty($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlReflectionProvider $P = ...;
...
$P.getValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlReflectionProvider $P = ...;
...
$P.setValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ReflectionProvider $P = ...;
...
$P.getGetMethod($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ReflectionProvider $P = ...;
...
$P.getSetMethod($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ReflectionProvider $P = ...;
...
$P.getField($T, $INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ReflectionProvider $P = ...;
...
$P.setProperties($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ReflectionProvider $P = ...;
...
$P.setProperty($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ReflectionProvider $P = ...;
...
$P.getValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ReflectionProvider $P = ...;
...
$P.setValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
TextParseUtil $P = ...;
...
$P.translateVariables($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
TextParseUtil $P = ...;
...
$P.translateVariablesCollection($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
TextParseUtil $P = ...;
...
$P.shallBeIncluded($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
TextParseUtil $P = ...;
...
$P.commaDelimitedStringToSet($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
TextParser $P = ...;
...
$P.evaluate($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlTextParser $P = ...;
...
$P.evaluate($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlUtil $P = ...;
...
$P.setProperties($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlUtil $P = ...;
...
$P.setProperty($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlUtil $P = ...;
...
$P.getValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlUtil $P = ...;
...
$P.setValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlUtil $P = ...;
...
$P.callMethod($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlUtil $P = ...;
...
$P.compile($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
VelocityStrutsUtil $P = ...;
...
$P.evaluate($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
StrutsUtil $P = ...;
...
$P.isTrue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
StrutsUtil $P = ...;
...
$P.findString($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
StrutsUtil $P = ...;
...
$P.findValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
StrutsUtil $P = ...;
...
$P.getText($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
StrutsUtil $P = ...;
...
$P.translateVariables($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
StrutsUtil $P = ...;
...
$P.makeSelectList($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
OgnlTool $P = ...;
...
$P.findValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ValueStack $P = ...;
...
$P.findString($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ValueStack $P = ...;
...
$P.findValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ValueStack $P = ...;
...
$P.setValue($INPUT,...);
...
}
- pattern: |
$X $METHOD(...) {
...
ValueStack $P = ...;
...
$P.setParameter($INPUT,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.getGetMethod($T,"...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.getSetMethod($T,"...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.getField($T,"...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.setProperties("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.setProperty("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.getValue("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.setValue("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.translateVariables("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.translateVariablesCollection("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.shallBeIncluded("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.commaDelimitedStringToSet("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.evaluate("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.callMethod("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.compile("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.isTrue("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.findString("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.findValue("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.getText("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.makeSelectList("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$P.setParameter("...",...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.getGetMethod($T,$S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.getSetMethod($T,$S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.getField($T,$S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.setProperties($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.setProperty($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.getValue($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.setValue($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.translateVariables($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.translateVariablesCollection($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.shallBeIncluded($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.commaDelimitedStringToSet($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.evaluate($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.callMethod($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.compile($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.isTrue($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.findString($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.findValue($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.getText($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.makeSelectList($S,...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$P.setParameter($S,...);
...
}
Examples
ognl-injection.java
package testcode.script.ognl;
import com.opensymphony.xwork2.ognl.OgnlReflectionProvider;
import javax.management.ReflectionException;
import java.beans.IntrospectionException;
import java.util.HashMap;
import java.util.Map;
public class OgnlReflectionProviderSample {
// ruleid: ognl-injection
public void unsafeOgnlReflectionProvider(String input, OgnlReflectionProvider reflectionProvider, Class type) throws IntrospectionException, ReflectionException {
reflectionProvider.getGetMethod(type, input);
}
// ruleid: ognl-injection
public void unsafeOgnlReflectionProvider1(String input, ReflectionProvider reflectionProvider) throws IntrospectionException, ReflectionException {
reflectionProvider.getValue(input, null, null);
}
// ruleid: ognl-injection
public void unsafeOgnlReflectionProvider2(String input, OgnlUtil reflectionProvider) throws IntrospectionException, ReflectionException {
reflectionProvider.setValue(input, null, null,null);
}
// ruleid: ognl-injection
public void unsafeOgnlReflectionProvider3(String input, OgnlTextParser reflectionProvider) throws IntrospectionException, ReflectionException {
reflectionProvider.evaluate( input );
}
// ok: ognl-injection
public void safeOgnlReflectionProvider1(OgnlReflectionProvider reflectionProvider, Class type) throws IntrospectionException, ReflectionException {
String input = "thisissafe";
reflectionProvider.getGetMethod(type, input);
}
// ok: ognl-injection
public void safeOgnlReflectionProvider2(OgnlReflectionProvider reflectionProvider, Class type) throws IntrospectionException, ReflectionException {
reflectionProvider.getField(type, "thisissafe");
}
}
Short Link: https://sg.run/7o7R