Expression injection (OGNL)

scala.inject.scala_inject_rule_ognlinjection

Severity

low

Resource

Inject

Language

Scala

Description

"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."

Rationale

"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."

The following code illustrates a vulnerable pattern detected by this rule:

def unsafeOgnlUtil(ognlUtil: OgnlUtil, input: String, propsInput: util.HashMap[String,String]): Unit = {
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.setValue(input, null, null, "12345")
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.getValue(input, null, null, null)
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.setProperty(input, "12345", null, null)
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.setProperty(input, "12345", null, null, true)
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.setProperties(propsInput, new Object())
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.setProperties(propsInput, null, null, true)
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.setProperties(propsInput, null, true)
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.setProperties(propsInput, null)
  //ognlUtil.callMethod(input, null, null);
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.compile(input)
  // VULNERABLE: Expression injection (OGNL)
  ognlUtil.compile(input)
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-917
OWASP Top 10 2021 - A03 : Injection.