SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 15

changes.mady.by.user Pennie Walters

Saved on

compared with

New Version 16

changes.mady.by.user Pennie Walters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Code injection is caused as a result of malicious user input being injected into dynamically constructed code. The javax.script package provides utilities to use various scripting engines from Java code. If misused, an attacker can execute arbitrary code on the target system. This class of vulnerabilities is dangerous because any violations of secure coding practices in dynamically generated code cannot be statically determined.

Noncompliant Code Example

This noncompliant code example uses dynamically obtained user input in a javascript statement, responsible for printing the input. A hostile user may enter specially crafted input parameters in an attempt to inject malicious javascript. The firstName string contains javascript code that can create or overwrite an existing file on the system running the vulnerable Java code.

Code Block
bgColor#FFCCCC
// Windows based target's file path is being used
String firstName = "dummy\'); var bw = new JavaImporter(java.io.BufferedWriter); 
                    var fw = new JavaImporter(java.io.FileWriter); 
                    with(fw) with(bw) { 
                    bwr = new BufferedWriter(new FileWriter(\"c://somepath//somefile.txt\"));
                    bwr.write(\"some text\"); bwr.close(); } // "; 
	  
evalScript(firstName);

private static void evalScript(String firstName) throws ScriptException {
  ScriptEngineManager manager = new ScriptEngineManager();
  ScriptEngine engine = manager.getEngineByName("javascript");
  engine.eval("print('"+ firstName + "')");	
}

Compliant Solution

The best defense against code injection vulnerabilities is to avoid including executable user input in code. If some dynamic code requires certain user input, the input should be sanitized. For example, a top-level method should ensure that the string firstName contains only valid characters. Refer to the guideline IDS01-J. Sanitize before processing or storing user input for more details.

...

Code Block
bgColor#ccccff
// First sanitize firstName
// Restrict permission using the two-argument form of doPrivileged()
try {
  AccessController.doPrivileged(new PrivilegedExceptionAction() {
    public Object run() throws ScriptException {
      engine.eval("print('"+ firstName + "')");		
      return null;
    }    	
  }, RestrictedAccessControlContext.INSTANCE);
} catch(PrivilegedActionException pae) {    	
  // Handle
}

Risk Assessment

Failing to prevent against code injection can result in the execution of arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS17- J

high

likely

medium

P18

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] Package {{javax.script}}
\[[OWASP 08|AA. Java References#OWASP 08]\] [Code injection in Java|http://www.owasp.org/index.php/Code_injection_in_Java]

...