[Java] Query for detecting Jakarta Expression Language injections

[artem-smotrakov]

Query

github/codeql#5471

Report

Jakarta EE contains a specification for an expression language (EL) and API for interpreters. There are multiple implementations of the API, for example, JUEL, Apache Commons EL, Glassfish has its own implementation. The language allows invocation of methods available in the JVM. If an expression is built using attacker-controlled data, and then evaluated, it may allow the attacker to run arbitrary code in the worst case.

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

I am planning to write a blog post about detecting such injections.

I wrote a blog post about detecting Jakarta EL injections with CodeQL.

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

• RCE in OpenFaces: There are several classes for processing AJAX requests. The classes take incoming data from a request and put it directly to a EL expression without any validation. In the worst case, it may result to an RCE.

[ghsecuritylab]

Your submission is now in status SecLab review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[pwntester]

Thanks for the submission @artem-smotrakov

Unfortunately, the query only returned one result which was a FP (not caused by your query). Can you please provide TP samples or even databases (eg: the DB for the OpenFaces CVE you referenced)

[artem-smotrakov]

Hi @pwntester

Do you mean TeamDev-Archive/OpenFaces#175 is a false positive? Or, did you mean some other result?

The query detects an EL injection in OpenFaces 2.x branch:

TeamDev-Archive/OpenFaces#175 (comment)

Sure, here is a CodeQL database for this finding:

https://drive.google.com/file/d/1gIozUL7Vg9oNx8M2xIoLjlvQAk3YsUx0/view?usp=sharing

You can also re-build it with the following commands:

git checkout master_v2.0
codeql database create codeql-db --language=java

[pwntester]

Do you mean TeamDev-Archive/OpenFaces#175 is a false positive? Or, did you mean some other result?

I meant that we found no TPs on the LGTM subset we run the query submissions against.

Sure, here is a CodeQL database for this finding:

https://drive.google.com/file/d/1gIozUL7Vg9oNx8M2xIoLjlvQAk3YsUx0/view?usp=sharing

Thanks, this is what I meant :)
I will consider this as a TP found by the query

[ghsecuritylab]

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[artem-smotrakov]

FYI I just wrote a blog post about detecting Jakarta EL injections with CodeQL.

[ghsecuritylab]

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[xcorail]

Created Hackerone report 1175842 for bounty 297930 : [324] [Java] Query for detecting Jakarta Expression Language injections

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed