java.spring.security.audit.spring-jsp-eval.spring-jsp-eval

profile photo of semgrepsemgrep
Author
6,314
Download Count*

A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.

Run Locally

Run in CI

Defintion

rules:
  - id: spring-jsp-eval
    pattern: |
      <spring:eval ... expression=...>
    message: A Spring expression is built with a dynamic value. The source of the
      value(s) should be verified to avoid that unfiltered values fall into this
      risky code evaluation.
    severity: WARNING
    languages:
      - generic
    metadata:
      cwe:
        - "CWE-95: Improper Neutralization of Directives in Dynamically
          Evaluated Code ('Eval Injection')"
      owasp:
        - A03:2021 - Injection
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#JSP_SPRING_EVAL
      category: security
      technology:
        - spring
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
    paths:
      include:
        - "*.jsp"

Examples

spring-jsp-eval.jsp

<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<!-- ruleid: spring-jsp-eval -->
<spring:eval expression="${param.lang}" var="lang" />
<!-- ruleid: spring-jsp-eval -->
<spring:eval  var="languageIsFrench" expression="'${param.lang}'=='fr'"/>
<!-- ok: spring-jsp-eval -->
<c:set var="languageIsFrench" value="${param.lang == 'fr'}"/>