java.spring.security.audit.spring-jsp-eval.spring-jsp-eval
returntocorpAuthor
6,314
Download Count*
License
A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.
Run Locally
Run in CI
Defintion
rules:
- id: spring-jsp-eval
pattern: |
<spring:eval ... expression=...>
message: A Spring expression is built with a dynamic value. The source of the
value(s) should be verified to avoid that unfiltered values fall into this
risky code evaluation.
severity: WARNING
languages:
- generic
metadata:
cwe:
- "CWE-95: Improper Neutralization of Directives in Dynamically
Evaluated Code ('Eval Injection')"
owasp:
- A03:2021 - Injection
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#JSP_SPRING_EVAL
category: security
technology:
- spring
references:
- https://owasp.org/Top10/A03_2021-Injection
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
paths:
include:
- "*.jsp"
Examples
spring-jsp-eval.jsp
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<!-- ruleid: spring-jsp-eval -->
<spring:eval expression="${param.lang}" var="lang" />
<!-- ruleid: spring-jsp-eval -->
<spring:eval var="languageIsFrench" expression="'${param.lang}'=='fr'"/>
<!-- ok: spring-jsp-eval -->
<c:set var="languageIsFrench" value="${param.lang == 'fr'}"/>
Short Link: https://sg.run/Q88o