Implement bad1 servlet with tainted script evaluation#3
Implement bad1 servlet with tainted script evaluation#3kyle-semgrep wants to merge 1 commit intomainfrom
Conversation
Added a servlet that demonstrates potential code injection vulnerabilities through HTTP request headers.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| ScriptEngineManager factory = new ScriptEngineManager(); | ||
| ScriptEngine engine = factory.getEngineByName("JavaScript"); | ||
|
|
There was a problem hiding this comment.
Compilation will fail here because ScriptEngineManager and ScriptEngine are referenced without any corresponding javax.script imports. With only the servlet imports present at the top of the file, javac reports cannot find symbol for these types, so the servlet cannot build until the imports are added or fully qualified names are used.
Useful? React with 👍 / 👎.
| FacesContext context = FacesContext.getCurrentInstance(); | ||
| ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory(); | ||
| ELContext elContext = context.getELContext(); | ||
| //ruleid: tainted-code-injection-from-http-request | ||
| ValueExpression vex = expressionFactory.createValueExpression(elContext, "expression" + param, String.class); |
There was a problem hiding this comment.
The code constructs FacesContext, ExpressionFactory, ELContext, and ValueExpression but no imports for the JSF/EL packages are declared. As written, javac will error on these symbols and prevent the servlet from compiling until the appropriate javax.faces.* and javax.el.* imports are added.
Useful? React with 👍 / 👎.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| String script = createTaintedScript(param); | ||
|
|
||
| //ruleid: tainted-code-injection-from-http-request | ||
| engine.eval(script); //Bad things can happen here. |
There was a problem hiding this comment.
Bug: Script engine evaluates untrusted user input from headers
User-controlled input from the HTTP header BenchmarkTest00006 flows through createTaintedScript() and is evaluated via engine.eval(), enabling arbitrary JavaScript code injection. Similarly, the same tainted param is concatenated into EL expressions via createValueExpression(), allowing Expression Language injection attacks. An attacker can execute arbitrary code on the server by crafting malicious header values.
Additional Locations (2)
1 participant
Added a servlet that demonstrates potential code injection vulnerabilities through HTTP request headers.
Note
Adds
bad1servlet that reads a request header, URL-decodes it, and evaluates it via JavaScriptEngineand JSF EL, with helper methods and a hardcoded eval example.bad1at@WebServlet("/cmdi-00/BenchmarkTest00006").BenchmarkTest00006header, URL-decodes toparam, setstext/htmlcontent type.param-derived script viaScriptEngine(engine.eval(script)) and builds/evaluates JSF EL usingExpressionFactory/ValueExpression.engine.eval("this is a hardcoded script")example.createTaintedScript(String)andevaluateExpression(String).Written by Cursor Bugbot for commit 9858939. This will update automatically on new commits. Configure here.