You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

Code injection is caused as a result of malicious user input being injected into dynamically constructed code. The javax.script package provides utilities to use various scripting engines from Java code. If misused, an attacker can execute arbitrary code on the target system. These kinds of errors are dangerous because any violations of secure coding practices in dynamically generated code cannot be statically determined.

Noncompliant Code Example

This noncompliant code example incorporates untrusted user input in a javascript statement, responsible for printing the input. An attacker may enter specially crafted arguments in an attempt to inject malicious javascript. The firstName string contains javascript code that can create or overwrite an existing file on the system running the vulnerable Java code.

// Windows based target's file path is being used
String firstName = "dummy\'); var bw = new JavaImporter(java.io.BufferedWriter); 
                    var fw = new JavaImporter(java.io.FileWriter); 
                    with(fw) with(bw) { 
                    bwr = new BufferedWriter(new FileWriter(\"c://somepath//somefile.txt\"));
                    bwr.write(\"some text\"); bwr.close(); } // "; 
	  
evalScript(firstName);

private static void evalScript(String firstName) throws ScriptException {
  ScriptEngineManager manager = new ScriptEngineManager();
  ScriptEngine engine = manager.getEngineByName("javascript");
  engine.eval("print('"+ firstName + "')");	
}

Compliant Solution

The best defense against code injection vulnerabilities is to avoid including executable user input in code. If some dynamic code requires certain user input, the input should be sanitized. For example, a top-level method should ensure that the string firstName contains only valid, white-listed characters. Refer to the guideline IDS01-J. Sanitize before processing or storing user input for more details. If special characters are allowed in the name, they must be escaped before comparing with their equivalent forms.

In addition, a complementary policy is to create a secure sandbox using a security manager (ENV02-J. Create a secure sandbox using a Security Manager). This approach is akin to the one discussed in the first compliant solution of IDS10-J. Prevent XML external entity attacks. The application should not allow the script to execute arbitrary commands such as querying the local file system. The two-argument form of doPrivileged() can be used to lower privileges when the application must operate with higher privileges but the scripting engine must not. The RestrictedAccessControlContext strips the permissions granted in the default policy file by not granting the same permissions to the newly created protection domain. The effective permissions are the intersection of the permissions of the newly created protection domain and the system wide security policy. Refer to the guideline SEC00-J. Follow the principle of least privilege for more details on the two-argument form.

// First sanitize firstName (modify if the name may include special characters)

if(!firstName.matches("[a-zA-Z]*")) { // String does not match white-listed characters
  throw new IllegalArgumentException();
} 

// Restrict permission using the two-argument form of doPrivileged()
try {
  AccessController.doPrivileged(new PrivilegedExceptionAction() {
    public Object run() throws ScriptException {
      engine.eval("print('"+ firstName + "')");		
      return null;
    }    	
  }, RestrictedAccessControlContext.INSTANCE);
} catch(PrivilegedActionException pae) {    	
  // Handle
}       

Risk Assessment

Failing to prevent against code injection can result in the execution of arbitrary code.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS12- J

high

likely

medium

P18

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[API 06]] Package javax.script
[[OWASP 08]] Code injection in Java


FIO05-J. Do not create multiple buffered wrappers on an InputStream      09. Input Output (FIO)      09. Input Output (FIO)

  • No labels