Code injection results from untrusted input being injected into dynamically constructed code. The javax.script package provides an API of interfaces and classes that define Java Scripting Engines and defines a framework for their use in Java code. An obvious example is the use of JavaScript from Java code. Misuse of the javax.script API permits an attacker to execute arbitrary code on the target system. Such errors are dangerous because violations of secure coding practices in dynamically generated code cannot be detected in advance through static analysis.
Although code injection often involves scripting languages, code injection is possible using many coding languages, including HTML.
Noncompliant Code Example
This noncompliant code example incorporates untrusted user input in a JavaScript statement that is responsible for printing the input. An attacker can enter specially crafted arguments in an attempt to inject malicious JavaScript. The firstName string contains JavaScript code that can create or overwrite an existing file on the system running the vulnerable Java code.
| Code Block | ||
|---|---|---|
| ||
// Windows-based target's file path is being used
String firstName = "dummy\'); var bw = new JavaImporter(java.io.BufferedWriter);
var fw = new JavaImporter(java.io.FileWriter);
with(fw) with(bw) {
bwr = new BufferedWriter(new FileWriter(\"c://somepath//somefile.txt\"));
bwr.write(\"some text\"); bwr.close(); } // ";
evalScript(firstName);
private static void evalScript(String firstName) throws ScriptException {
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("javascript");
engine.eval("print('"+ firstName + "')");
}
|
An attacker can enter a specially crafted argument in an attempt to inject malicious JavaScript. Here is an example malicious string; it contains JavaScript code that can create or overwrite an existing file on a Windows system running the vulnerable Java code.
| Code Block | ||
|---|---|---|
| ||
// Windows-based target's file path is being used
dummy\');
var bw = new JavaImporter(java.io.BufferedWriter);
var fw = new JavaImporter(java.io.FileWriter);
with(fw) with(bw) {
bwr = new BufferedWriter(new FileWriter(\"c://somepath//somefile.txt\"));
bwr.write("some text"); bwr.close();
}
// ;
|
Compliant Solution
The best defense against code injection vulnerabilities is to avoid including executable user input in code. When dynamic code requires user input, that input must be sanitized. For example, a top-level method could ensure that the string firstName contains only valid, whitelisted characters. Refer to IDS00-J. Sanitize untrusted data passed across a trust boundary for more details. If special characters are allowed in the name, they must be escaped before comparing with their equivalent forms.
...