-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSpringImplicitViewManipulation.ql
More file actions
65 lines (60 loc) · 2.67 KB
/
Copy pathSpringImplicitViewManipulation.ql
File metadata and controls
65 lines (60 loc) · 2.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/**
* @name Spring Implicit View Manipulation
* @description Untrusted input in a Spring View Controller can lead to RCE.
* @kind problem
* @problem.severity error
* @precision high
* @id java/spring-view-manipulation-implicit
* @tags security
* experimental
* external/cwe/cwe-094
*/
import java
deprecated import SpringViewManipulationLib
deprecated private predicate canResultInImplicitViewConversion(Method m) {
m.getReturnType() instanceof VoidType
or
m.getReturnType() instanceof MapType
or
m.getReturnType().(RefType).hasQualifiedName("org.springframework.ui", "Model")
}
private predicate maybeATestMethod(Method m) {
exists(string s |
s = m.getName() or
s = m.getFile().getRelativePath() or
s = m.getDeclaringType().getName()
|
s.matches(["%test%", "%example%", "%exception%"])
)
}
deprecated private predicate mayBeExploitable(Method m) {
// There should be a attacker controlled parameter in the URI for the attack to be exploitable.
// This is possible only when there exists a parameter with the Spring `@PathVariable` annotation
// applied to it.
exists(Parameter p |
p = m.getAParameter() and
p.hasAnnotation("org.springframework.web.bind.annotation", "PathVariable") and
// Having a parameter of say type `Long` is non exploitable as Java type
// checking rules are applied prior to view name resolution, rendering the exploit useless.
// hence, here we check for the param type to be a Java `String`.
p.getType() instanceof TypeString and
// Exclude cases where a regex check is applied on a parameter to prevent false positives.
not m.(SpringRequestMappingMethod).getAValue().matches("%{%:[%]%}%")
) and
not maybeATestMethod(m)
}
deprecated query predicate problems(SpringRequestMappingMethod m, string message) {
thymeleafIsUsed() and
mayBeExploitable(m) and
canResultInImplicitViewConversion(m) and
// If there's a parameter of type`HttpServletResponse`, Spring Framework does not interpret
// it as a view name, but just returns this string in HTTP Response preventing exploitation
// This also applies to `@ResponseBody` annotation.
not m.getParameterType(_) instanceof HttpServletResponse and
// A spring request mapping method which does not have response body annotation applied to it
m.getAnAnnotation().getType() instanceof SpringRequestMappingAnnotationType and
not m.getAnAnnotation().getType() instanceof SpringResponseBodyAnnotationType and
// `@RestController` inherits `@ResponseBody` internally so it should be ignored.
not m.getDeclaringType() instanceof SpringRestController and
message = "This method may be vulnerable to spring view manipulation vulnerabilities."
}