Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,13 @@
<artifactId>commons-codec</artifactId>
<version>1.16.0</version>
</dependency>
<!-- Hutool: modeled by the javasecurity-advanced config (NOT the base/Enterprise config).
Added to demonstrate taint flows that only the advanced library config detects. -->
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.8.27</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
Expand Down
56 changes: 56 additions & 0 deletions src/main/java/demo/security/servlet/AdvancedConfigServlet.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
package demo.security.servlet;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import cn.hutool.core.io.FileUtil;
import cn.hutool.core.util.RuntimeUtil;

/**
* Taint flows that ONLY the {@code javasecurity-advanced} library config detects.
*
* <p>Source: {@code javax.servlet.http.HttpServletRequest#getParameter} — modeled by the
* base/Enterprise {@code javasecurity} config.
*
* <p>Sinks: Hutool ({@code cn.hutool.*}) APIs. These method signatures live in
* {@code javasecurity-advanced/sinks/*.json} (autogenerated library config) and are ABSENT
* from the base {@code javasecurity} config. Result: the base/Enterprise config raises nothing
* here; only the advanced config reports these vulnerabilities.
*/
public class AdvancedConfigServlet extends HttpServlet {

/**
* S2076 - OS command injection.
* Sink: {@code cn.hutool.core.util.RuntimeUtil#exec([Ljava/lang/String;)Ljava/lang/Process;}
*/
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String cmd = request.getParameter("cmd");
RuntimeUtil.exec(cmd); // advanced-only sink

Check failure on line 34 in src/main/java/demo/security/servlet/AdvancedConfigServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Change this code to not construct the OS command from user-controlled data.

[S2076] OS commands should not be vulnerable to command injection attacks See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=87&issues=0ea065f3-2b1d-44ca-ba1c-b8628360eb73&open=0ea065f3-2b1d-44ca-ba1c-b8628360eb73

Check failure

Code scanning / SonarQube

OS commands should not be vulnerable to command injection attacks Critical

Change this code to not construct the OS command from user-controlled data. See more on SonarQube
}

/**
* S2083 - path traversal (read).
* Sink: {@code cn.hutool.core.io.FileUtil#readUtf8String(Ljava/lang/String;)Ljava/lang/String;}
*/
protected void readFile(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String path = request.getParameter("path");
String content = FileUtil.readUtf8String(path); // advanced-only sink

Check warning on line 44 in src/main/java/demo/security/servlet/AdvancedConfigServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Change this code to not construct the path from user-controlled data.

[S6549] Accessing files should not lead to filesystem oracle attacks See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=87&issues=c2d155dc-954f-449d-93e9-6ae8fc6cfbb6&open=c2d155dc-954f-449d-93e9-6ae8fc6cfbb6

Check failure on line 44 in src/main/java/demo/security/servlet/AdvancedConfigServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Change this code to not construct the path from user-controlled data.

[S2083] I/O function calls should not be vulnerable to path injection attacks See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=87&issues=d8535cc0-2736-4c6c-bc2d-1deb31fa1c24&open=d8535cc0-2736-4c6c-bc2d-1deb31fa1c24

Check failure

Code scanning / SonarQube

I/O function calls should not be vulnerable to path injection attacks Critical

Change this code to not construct the path from user-controlled data. See more on SonarQube

Check warning

Code scanning / SonarQube

Accessing files should not lead to filesystem oracle attacks Medium

Change this code to not construct the path from user-controlled data. See more on SonarQube
response.getWriter().write(content);
}

/**
* S2083 - path traversal (delete).
* Sink: {@code cn.hutool.core.io.FileUtil#del(Ljava/lang/String;)Z}
*/
protected void deleteFile(HttpServletRequest request) {
String victim = request.getParameter("file");
FileUtil.del(victim); // advanced-only sink

Check failure on line 54 in src/main/java/demo/security/servlet/AdvancedConfigServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Change this code to not construct the path from user-controlled data.

[S2083] I/O function calls should not be vulnerable to path injection attacks See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=87&issues=0033c232-20c8-4052-8012-aef93db900fa&open=0033c232-20c8-4052-8012-aef93db900fa

Check warning on line 54 in src/main/java/demo/security/servlet/AdvancedConfigServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Change this code to not construct the path from user-controlled data.

[S6549] Accessing files should not lead to filesystem oracle attacks See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=87&issues=54b17efa-d723-4299-bf2a-367399b6d11e&open=54b17efa-d723-4299-bf2a-367399b6d11e

Check failure

Code scanning / SonarQube

I/O function calls should not be vulnerable to path injection attacks Critical

Change this code to not construct the path from user-controlled data. See more on SonarQube

Check warning

Code scanning / SonarQube

Accessing files should not lead to filesystem oracle attacks Medium

Change this code to not construct the path from user-controlled data. See more on SonarQube
}
}