Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Rule : Seam Logger usage could lead to remote code execution #56

Closed
ThrawnCA opened this issue May 28, 2015 · 5 comments
Closed

New Rule : Seam Logger usage could lead to remote code execution #56

ThrawnCA opened this issue May 28, 2015 · 5 comments
Assignees
@h3xstream
Labels
enhancement New feature or improvement to existing detector.
Milestone
version-1.4.5

Comments

@ThrawnCA
Copy link

The Seam framework accepts expression language in its log statements, so concatenating strings to pass to the logger is a very bad idea.

https://issues.jboss.org/browse/JBSEAM-5130

Is it easy enough to add a detector for this?
@h3xstream h3xstream added the enhancement New feature or improvement to existing detector. label May 28, 2015
@h3xstream
Copy link
Member

You can take the Script Injection Detector as example : https://github.com/h3xstream/find-sec-bugs/tree/master/plugin/src/main/java/com/h3xstream/findsecbugs/injection/script

@h3xstream h3xstream added this to the version-1.4.3 milestone Aug 19, 2015
@h3xstream h3xstream changed the title Suggested detector: string concatenation in Seam logger New Rule : Seam Logger usage could lead to remote code execution Oct 4, 2015
@h3xstream
Copy link
Member

@ThrawnCA Do you have a reference or code sample of how expression look like?

@ThrawnCA
Copy link
Author

I'm no expert, but there are some samples at https://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185

It looks like JBoss expression language is an extension of standard J2EE expression language (https://docs.oracle.com/javaee/6/tutorial/doc/gjddd.html). Essentially, the expressions that we'd be concerned about use #{variable.method()} syntax (it's also possible to use #0 #1 #2, but that seems harmless).

h3xstream added a commit that referenced this issue Nov 27, 2015
@h3xstream
Add Seam Logger to code injection sinks #56
cc204af
h3xstream added a commit that referenced this issue Nov 27, 2015
@h3xstream
Update the description of Seam logging injection #56
adeeda0
@h3xstream
Copy link
Member

@ThrawnCA Thanks

I notice at the same time that the Interpolator class should also be flagged. Interpolator.instance().interpolate( (String) object, params );
https://github.com/seam2/jboss-seam/blob/f3077fee9d04b2b3545628cd9e6b58c859feb988/jboss-seam/src/main/java/org/jboss/seam/log/LogImpl.java#L140

@h3xstream
Copy link
Member

Here is the first draft of the description : http://h3xstream.github.io/find-sec-bugs/bugs.htm#SEAM_LOG_INJECTION

@h3xstream h3xstream self-assigned this Dec 25, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@h3xstream h3xstream

Labels
enhancement New feature or improvement to existing detector.
Projects
None yet
Milestone
version-1.4.5
Development

No branches or pull requests
2 participants
@h3xstream @ThrawnCA