java.lang.security.audit.script-engine-injection.script-engine-injection

Community Favorite
profile photo of semgrepsemgrep
Author
73,407
Download Count*
LGPL Commons Clause
License

Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: script-engine-injection
    message: Detected potential code injection using ScriptEngine. Ensure
      user-controlled data cannot enter '.eval()', otherwise, this is a code
      injection vulnerability.
    metadata:
      cwe:
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      owasp:
        - A03:2021 - Injection
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    severity: WARNING
    languages:
      - java
    patterns:
      - pattern-either:
          - pattern-inside: |
              class $CLASS {
                ...
                ScriptEngine $SE;
                ...
              }
          - pattern-inside: |
              class $CLASS {
                ...
                ScriptEngine $SE = ...;
                ...
              }
          - pattern-inside: |
              $X $METHOD(...) {
                ...
                ScriptEngine $SE = ...;
                ...
              }
      - pattern: |
          $X $METHOD(...) {
            ...
            $SE.eval(...);
            ...
          }
      - pattern-not: |
          $X $METHOD(...) {
            ...
            $SE.eval("...");
            ...
          }
      - pattern-not: |
          $X $METHOD(...) {
            ...
            String $S = "...";
            ...
            $SE.eval($S);
            ...
          }

Examples

script-engine-injection.java

package testcode.script;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;

public class ScriptEngineSample {

    private static ScriptEngineManager sem = new ScriptEngineManager();
    private static ScriptEngine se = sem.getEngineByExtension("js");

    // ruleid: script-engine-injection
    public static void scripting(String userInput) throws ScriptException {
        Object result = se.eval("test=1;" + userInput);
    }

    // ruleid: script-engine-injection
    public static void scripting1(String userInput) throws ScriptException {
        ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
        ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
        Object result = scriptEngine.eval("test=1;" + userInput);
    }

    //ok: script-engine-injection
    public static void scriptingSafe() throws ScriptException {
        ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
        ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
        String code = "var test=3;test=test*2;";
        Object result = scriptEngine.eval(code);
    }
}