java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request
semgrepAuthor
unknown
Download Count*
License
Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. exec({"command", "arg1", "arg2"}).
Run Locally
Run in CI
Defintion
rules:
- id: tainted-env-from-http-request
message: Detected input from a HTTPServletRequest going into the environment
variables of an 'exec' command. Instead, call the command with
user-supplied arguments by using the overloaded method with one String
array as the argument. `exec({"command", "arg1", "arg2"})`.
languages:
- java
severity: ERROR
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern: |
(HttpServletRequest $REQ)
- patterns:
- pattern-inside: >
(javax.servlet.http.Cookie[] $COOKIES) =
(HttpServletRequest $REQ).getCookies(...);
...
for (javax.servlet.http.Cookie $COOKIE: $COOKIES) {
...
}
- pattern: |
$COOKIE.getValue(...)
pattern-sinks:
- patterns:
- pattern: (java.lang.Runtime $R).exec($CMD, $ENV_ARGS, ...);
- focus-metavariable: $ENV_ARGS
metadata:
category: security
technology:
- java
cwe:
- "CWE-454: External Initialization of Trusted Variables or Data Stores"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: false
cwe2021-top25: false
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Other
Examples
tainted-env-from-http-request.java
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/
package org.owasp.benchmark.testcode;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.Runtime;
@WebServlet(value = "/cmdi-00/BenchmarkTest00007")
public class bad2 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");
String param = "";
if (request.getHeader("BenchmarkTest00007") != null) {
param = request.getHeader("BenchmarkTest00007");
}
// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
param = java.net.URLDecoder.decode(param, "UTF-8");
String cmd =
org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString(
this.getClass().getClassLoader());
String[] args = {cmd};
String[] argsEnv = {param};
Runtime r = Runtime.getRuntime();
try {
// ruleid: tainted-env-from-http-request
Process p = r.exec(args, argsEnv);
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));
return;
}
}
}
@WebServlet(value = "/cmdi-00/BenchmarkTest00007")
public class bad2 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");
String param = "";
if (request.getHeader("BenchmarkTest00007") != null) {
param = request.getHeader("BenchmarkTest00007");
}
// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
param = java.net.URLDecoder.decode(param, "UTF-8");
String cmd =
org.owasp.benchmark.helpers.Utils.getInsecureOSCommandString(
this.getClass().getClassLoader());
String[] args = {cmd};
String[] argsEnv = {cmd};
Runtime r = Runtime.getRuntime();
try {
// ok: tainted-env-from-http-request
Process p = r.exec(args, argsEnv);
org.owasp.benchmark.helpers.Utils.printOSCommandResults(p, response);
// ok: tainted-env-from-http-request
Process p = r.exec(param, argsEnv);
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));
return;
}
}
}
Short Link: https://sg.run/EJAB