Skip to main content

Insecure Use of Dangerous Function

This vulnerability category covers the following issues:

Why is this important?โ€‹

Java, like any other programming language, has dangerous functions. If these functions are not used properly, it can have a catastrophic impact on your app. Attacker controlled input, that is processed by any of these functions, can lead to attackers getting full access to your production environment.

Check out this video for a high-level explanation:

OS Command Injection

Read below to find out how to fix this issue in your code.

Command Injectionโ€‹

The highlighted APIs below are used to execute system commands. If unfiltered input is passed to these APIs, it can lead to arbitrary command execution.

References:

Option A: Use dangerous functions securelyโ€‹

  1. Go through the issues that GuardRails identified in the PR

  2. Locate the dangerous function. For example:

    // Java
    import java.lang.Runtime;
    Runtime r = Runtime.getRuntime();
    r.exec("/bin/sh -c some_tool" + input);

    or:

    //Scala
    def executeCommand(value:String) = Action {
    val result = value.!
    Ok("Result:\n"+result)
    }
  3. If the functionality is not required, then remove it

  4. Otherwise, replace the dangerous function with the following:

    // Java
    // Ensure that only safe characters are supplied
    // Otherwise don't perform the operation
    if (!Pattern.matches("[[email protected]]+", input)) {
    // Handle error
    }
  5. Test it and ensure the functionality works as expected

  6. Ship it ๐Ÿšข and relax ๐ŸŒด

Code Injectionโ€‹

Whenever dynamic code is evaluated, attackers have an opportunity to influence the code, which can lead to malicious code execution resulting in data leakage or operating system compromise.

This section covers code injection related to the following APIs:

  • Script Engine
  • Spring Expression
  • Expression Language
  • Seam Logging Call
  • OGNL
  • JSP Spring Expression

Option A: Using Script Engine safelyโ€‹

References:

Detailed Instructionsโ€‹

  1. Go through the issues that GuardRails identified in the PR

  2. Locate the following code pattern:

    public void runCustomTrigger(String script) {
    ScriptEngineManager factory = new ScriptEngineManager();
    ScriptEngine engine = factory.getEngineByName("JavaScript");
    engine.eval(script);
    }
  3. If the functionality is not required, then remove it

  4. Otherwise, leverage the following pattern:

    public void runCustomTrigger(String script) {
    SandboxContextFactory contextFactory = new SandboxContextFactory();
    Context context = contextFactory.makeContext();
    contextFactory.enterContext(context);
    try {
    ScriptableObject prototype = context.initStandardObjects();
    prototype.setParentScope(null);
    Scriptable scope = context.newObject(prototype);
    scope.setPrototype(prototype);
    context.evaluateString(scope,script, null, -1, null);
    } finally {
    context.exit();
    }
    }
  5. Test it and ensure the functionality works as expected

  6. Ship it ๐Ÿšข and relax ๐ŸŒด

Option B: Using Spring Expression safelyโ€‹

References:

Detailed Instructionsโ€‹

  1. Go through the issues that GuardRails identified in the PR

  2. Locate the following code pattern:

    public void parseExpressionInterface(Person personObj,String property) {
    ExpressionParser parser = new SpelExpressionParser();
    //Unsafe if the input is controlled by the user.
    Expression exp = parser.parseExpression(property+" == 'Albert'");
    StandardEvaluationContext testContext = new StandardEvaluationContext(personObj);
    boolean result = exp.getValue(testContext, Boolean.class);
    [...]
    }
  3. If the functionality is not required, then remove it

  4. Otherwise, ensure that the user input is sanitized accordingly

    // Java
    // Ensure that only safe characters are supplied
    // Otherwise don't perform the operation
    if (!Pattern.matches("[[email protected]]+", property)) {
    // Handle error
    }
  5. Test it and ensure the functionality works as expected

  6. Ship it ๐Ÿšข and relax ๐ŸŒด

Option C: Using Expression Language safelyโ€‹

References:

Detailed Instructionsโ€‹

  1. Go through the issues that GuardRails identified in the PR

  2. Locate the following code pattern:

    public void evaluateExpression(String expression) {
    FacesContext context = FacesContext.getCurrentInstance();
    ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
    ELContext elContext = context.getELContext();
    ValueExpression vex = expressionFactory.createValueExpression(elContext, expression, String.class);
    return (String) vex.getValue(elContext);
    }
  3. If the functionality is not required, then remove it

  4. Otherwise, ensure that the user input is sanitized accordingly

    // Java
    // Ensure that only safe characters are supplied
    // Otherwise don't perform the operation
    if (!Pattern.matches("[[email protected]]+", expression)) {
    // Handle error
    }
  5. Test it and ensure the functionality works as expected

  6. Ship it ๐Ÿšข and relax ๐ŸŒด

Option D: Using Seam Logging Call safelyโ€‹

References:

Detailed Instructionsโ€‹

  1. Go through the issues that GuardRails identified in the PR

  2. Locate the following code pattern:

    public void logUser(User user) {
    log.info("Current logged in user : " + user.getUsername());
    //...
    }
  3. If the functionality is not required, then remove it

  4. Otherwise, use the following pattern instead:

    public void logUser(User user) {
    log.info("Current logged in user : #0", user.getUsername());
    //...
    }
  5. Test it and ensure the functionality works as expected

  6. Ship it ๐Ÿšข and relax ๐ŸŒด

Option E: Using OGNL safelyโ€‹

References:

Detailed Instructionsโ€‹

  1. Go through the issues that GuardRails identified in the PR

  2. Locate the following code pattern:

    public void getUserProperty(String property) {
    [...]
    //The first argument is the dynamic expression.
    return ognlUtil.getValue("user."+property, ctx, root, String.class);
    }
  3. If the functionality is not required, then remove it

  4. Otherwise, ensure that the user input is sanitized accordingly

    // Java
    // Ensure that only safe characters are supplied
    // Otherwise don't perform the operation
    if (!Pattern.matches("[[email protected]]+", expression)) {
    // Handle error
    }
  5. Test it and ensure the functionality works as expected

  6. Ship it ๐Ÿšข and relax ๐ŸŒด

Option F: Using JSP Spring Expression safelyโ€‹

A Spring expression is built with a dynamic value. The source of the values should be verified to avoid that unfiltered values fall into this risky code evaluation.

Detailed Instructionsโ€‹

  1. Go through the issues that GuardRails identified in the PR

  2. Locate the following code pattern:

    <%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
    <spring:eval expression="${param.lang}" var="lang" />
    <%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
    <spring:eval expression="'${param.lang}'=='fr'" var="languageIsFrench" />
  3. If the functionality is not required, then remove it

  4. Otherwise, leverage the following pattern:

    <c:set var="lang" value="${param.lang}"/>
    <c:set var="languageIsFrench" value="${param.lang == 'fr'}"/>
  5. Test it and ensure the functionality works as expected

  6. Ship it ๐Ÿšข and relax ๐ŸŒด

More information:โ€‹