Code Injection
ID |
java.code_injection |
Severity |
critical |
Resource |
Injection |
Language |
Java |
Tags |
CWE:95, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1 |
Description
Improper neutralization of directives in dynamically evaluated code ('Eval Injection').
Code Injection vulnerabilities occur when an application dynamically executes code containing untrusted input from users.
Rationale
In Java, while direct code execution vulnerabilities are less common than in some other languages due to its lack of built-in scripting features, risks still emerge through features like the use of Java Reflection, expression evaluation libraries, or dynamic language integrations. But since Java 6, direct execution of code in scripting languages is available through the javax.script package.
Consider this vulnerable Java code snippet using a scripting engine:
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;
public class CodeInjectionExample {
public static void main(String[] args) {
String input = "user input"; // User-controlled input
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("JavaScript");
try {
engine.eval("print('" + input + "')");
} catch (ScriptException e) {
e.printStackTrace();
}
}
}In this example, user input directly influences the script execution, potentially allowing an attacker to inject and execute arbitrary code by manipulating the input.
Remediation
To mitigate Code Injection vulnerabilities, follow these best practices:
-
Avoid Dynamic Code Execution: Where possible, avoid using dynamic script execution or reflection with untrusted input.
-
Input Validation and Sanitization: Assume all input is potentially malicious. Rigorously validate all user inputs to confirm they adhere to expected formats, and sanitize them (a whitelisting approach is recommended) to remove potentially harmful content.
-
Canonicalization: Decode and canonicalize inputs to a standard internal representation before validation. This helps prevent bypassing input filters through encoding tricks
Below is a revised approach assuming the need for dynamic evaluation, where we add checks and log unexpected inputs:
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;
public class SecureCodeInjectionExample {
public static void main(String[] args) {
String input = "user input"; // User-controlled input
if (isValidInput(input)) {
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("JavaScript");
try {
engine.eval("print('" + input + "')");
} catch (ScriptException e) {
e.printStackTrace();
}
} else {
System.err.println("Invalid script input detected!");
}
}
private static boolean isValidInput(String input) {
// your validation logic
}
}This implementation incorporates input sanitization and validation to ensure that only valid characters are processed and logs anything deemed suspicious. By enforcing these approaches, the risk of code injection can be significantly reduced.
Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. -
neutralizations, that indicates the neutralization kinds to check.
Unless you need to change the default behavior, you typically do not need to configure this detector.
References
-
CWE-95 : Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection').
-
OWASP Top 10 2021 - A03 : Injection.
-
OWASP Code Injection explained.