Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions javablock.vuln
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@

package org.owasp.benchmark.testcode;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value = "/cmdi-00/BenchmarkTest00006")
public class bad1 extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");

String param = "";
if (request.getHeader("BenchmarkTest00006") != null) {
param = request.getHeader("BenchmarkTest00006");
}

// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
param = java.net.URLDecoder.decode(param, "UTF-8");

ScriptEngineManager factory = new ScriptEngineManager();
ScriptEngine engine = factory.getEngineByName("JavaScript");

Comment on lines +36 to +38

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Import javax.script classes for ScriptEngine usage

Compilation will fail here because ScriptEngineManager and ScriptEngine are referenced without any corresponding javax.script imports. With only the servlet imports present at the top of the file, javac reports cannot find symbol for these types, so the servlet cannot build until the imports are added or fully qualified names are used.

Useful? React with 👍 / 👎.

String script = createTaintedScript(param);

//ruleid: tainted-code-injection-from-http-request
engine.eval(script); //Bad things can happen here.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Script engine evaluates untrusted user input from headers

User-controlled input from the HTTP header BenchmarkTest00006 flows through createTaintedScript() and is evaluated via engine.eval(), enabling arbitrary JavaScript code injection. Similarly, the same tainted param is concatenated into EL expressions via createValueExpression(), allowing Expression Language injection attacks. An attacker can execute arbitrary code on the server by crafting malicious header values.

Additional Locations (2)

Fix in Cursor Fix in Web


String script2 = "this is a hardcoded script";
// ok: tainted-code-injection-from-http-request
engine.eval(script2); //Bad things can happen here.

FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
//ruleid: tainted-code-injection-from-http-request
ValueExpression vex = expressionFactory.createValueExpression(elContext, "expression" + param, String.class);
Comment on lines +48 to +52

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Missing JSF/EL imports for expression evaluation

The code constructs FacesContext, ExpressionFactory, ELContext, and ValueExpression but no imports for the JSF/EL packages are declared. As written, javac will error on these symbols and prevent the servlet from compiling until the appropriate javax.faces.* and javax.el.* imports are added.

Useful? React with 👍 / 👎.


String result = evaluateExpression("expression" + param);

}

public String createTaintedScript(String param){
return "this is some script" + param;
}

public String evaluateExpression(String expression) {
FacesContext context = FacesContext.getCurrentInstance();
ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory();
ELContext elContext = context.getELContext();
// proruleid: tainted-code-injection-from-http-request
ValueExpression vex = expressionFactory.createValueExpression(elContext, expression, String.class);
return (String) vex.getValue(elContext);
}