java.lang.security.audit.script-engine-injection.script-engine-injection
Community Favorite
semgrep
Author
73,407
Download Count*
License
Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability.
Run Locally
Run in CI
Defintion
rules:
- id: script-engine-injection
message: Detected potential code injection using ScriptEngine. Ensure
user-controlled data cannot enter '.eval()', otherwise, this is a code
injection vulnerability.
metadata:
cwe:
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
owasp:
- A03:2021 - Injection
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION
category: security
technology:
- java
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
severity: WARNING
languages:
- java
patterns:
- pattern-either:
- pattern-inside: |
class $CLASS {
...
ScriptEngine $SE;
...
}
- pattern-inside: |
class $CLASS {
...
ScriptEngine $SE = ...;
...
}
- pattern-inside: |
$X $METHOD(...) {
...
ScriptEngine $SE = ...;
...
}
- pattern: |
$X $METHOD(...) {
...
$SE.eval(...);
...
}
- pattern-not: |
$X $METHOD(...) {
...
$SE.eval("...");
...
}
- pattern-not: |
$X $METHOD(...) {
...
String $S = "...";
...
$SE.eval($S);
...
}
Examples
script-engine-injection.java
package testcode.script;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;
public class ScriptEngineSample {
private static ScriptEngineManager sem = new ScriptEngineManager();
private static ScriptEngine se = sem.getEngineByExtension("js");
// ruleid: script-engine-injection
public static void scripting(String userInput) throws ScriptException {
Object result = se.eval("test=1;" + userInput);
}
// ruleid: script-engine-injection
public static void scripting1(String userInput) throws ScriptException {
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
Object result = scriptEngine.eval("test=1;" + userInput);
}
//ok: script-engine-injection
public static void scriptingSafe() throws ScriptException {
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
String code = "var test=3;test=test*2;";
Object result = scriptEngine.eval(code);
}
}
Short Link: https://sg.run/gLqn