External Control of System or Configuration Setting
ID |
scala.inject.scala_inject_rule_beanpropertyinjection |
Severity |
high |
Resource |
Inject |
Language |
Scala |
Description
An attacker can set arbitrary bean properties that can compromise system integrity. An attacker can leverage this functionality to access special bean properties like class.classLoader that will allow them to override system properties and potentially execute arbitrary code.
Rationale
An attacker can set arbitrary bean properties that can compromise system integrity. An attacker can leverage this functionality to access special bean properties like class.classLoader that will allow them to override system properties and potentially execute arbitrary code.
The following code illustrates a vulnerable pattern detected by this rule:
def danger(bean: Nothing, request: HttpServletRequest): Unit = {
val map = new util.HashMap[String, String]()
// VULNERABLE: External Control of System or Configuration Setting
map.put("test", request.getParameter("test"))
BeanUtils.populate(bean, map)
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A03 : Injection.