From 6a1fb3d7683dd323d01dd271efacaf5bbdd0aefc Mon Sep 17 00:00:00 2001 From: sylvain Date: Fri, 26 Jun 2026 16:22:26 +0200 Subject: [PATCH] Add Hutool taint flows for javasecurity-advanced config demo Introduce AdvancedConfigServlet with three taint vulnerabilities whose sinks (cn.hutool.* APIs) are modeled only by the javasecurity-advanced library config, not the base/Enterprise javasecurity config: - S2076 OS command injection via RuntimeUtil.exec(String...) - S2083 path traversal via FileUtil.readUtf8String(String) - S2083 path traversal via FileUtil.del(String) Source is HttpServletRequest.getParameter (base-modeled), so these issues isolate the detection value added by the advanced library config. Co-Authored-By: Claude Opus 4.8 (1M context) --- pom.xml | 7 +++ .../servlet/AdvancedConfigServlet.java | 56 +++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 src/main/java/demo/security/servlet/AdvancedConfigServlet.java diff --git a/pom.xml b/pom.xml index 59ded444..e3a64576 100644 --- a/pom.xml +++ b/pom.xml @@ -36,6 +36,13 @@ commons-codec 1.16.0 + + + cn.hutool + hutool-all + 5.8.27 + javax.servlet javax.servlet-api diff --git a/src/main/java/demo/security/servlet/AdvancedConfigServlet.java b/src/main/java/demo/security/servlet/AdvancedConfigServlet.java new file mode 100644 index 00000000..69a8da31 --- /dev/null +++ b/src/main/java/demo/security/servlet/AdvancedConfigServlet.java @@ -0,0 +1,56 @@ +package demo.security.servlet; + +import java.io.IOException; + +import javax.servlet.ServletException; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import cn.hutool.core.io.FileUtil; +import cn.hutool.core.util.RuntimeUtil; + +/** + * Taint flows that ONLY the {@code javasecurity-advanced} library config detects. + * + *

Source: {@code javax.servlet.http.HttpServletRequest#getParameter} — modeled by the + * base/Enterprise {@code javasecurity} config. + * + *

Sinks: Hutool ({@code cn.hutool.*}) APIs. These method signatures live in + * {@code javasecurity-advanced/sinks/*.json} (autogenerated library config) and are ABSENT + * from the base {@code javasecurity} config. Result: the base/Enterprise config raises nothing + * here; only the advanced config reports these vulnerabilities. + */ +public class AdvancedConfigServlet extends HttpServlet { + + /** + * S2076 - OS command injection. + * Sink: {@code cn.hutool.core.util.RuntimeUtil#exec([Ljava/lang/String;)Ljava/lang/Process;} + */ + @Override + protected void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + String cmd = request.getParameter("cmd"); + RuntimeUtil.exec(cmd); // advanced-only sink + } + + /** + * S2083 - path traversal (read). + * Sink: {@code cn.hutool.core.io.FileUtil#readUtf8String(Ljava/lang/String;)Ljava/lang/String;} + */ + protected void readFile(HttpServletRequest request, HttpServletResponse response) + throws IOException { + String path = request.getParameter("path"); + String content = FileUtil.readUtf8String(path); // advanced-only sink + response.getWriter().write(content); + } + + /** + * S2083 - path traversal (delete). + * Sink: {@code cn.hutool.core.io.FileUtil#del(Ljava/lang/String;)Z} + */ + protected void deleteFile(HttpServletRequest request) { + String victim = request.getParameter("file"); + FileUtil.del(victim); // advanced-only sink + } +}