Skip to content

Java: add some improvements to the bean validation query#4629

Merged
adityasharad merged 7 commits into
github:mainfrom
pwntester:improve_bean_validation_query
Nov 17, 2020
Merged

Java: add some improvements to the bean validation query#4629
adityasharad merged 7 commits into
github:mainfrom
pwntester:improve_bean_validation_query

Conversation

@pwntester
Copy link
Copy Markdown
Contributor

@pwntester pwntester commented Nov 6, 2020

This improvements try to address those cases where the vulnerability is fixed by setting a default message interpolator that does not interpolate Expression Language expressions.
This can lead to False negatives though since it may be the case where the project scanned has more than one application and the secure configuration may not be applied to all of them. Because we are just checking that there is a call to setMessasgeInterpolator with a non-EL interpolator somewhere in the scanned code, we may consider that it protects all the uses of Bean validation which may not be the case.

In the opposite hand, if we do not apply an improvement like this, projects fixing the issue with this approach (which is the recommended one) will not get rid of the alert.

/cc @adityasharad

@pwntester pwntester requested a review from a team as a code owner November 6, 2020 12:09
@github-actions github-actions Bot added the Java label Nov 6, 2020
@RasmusWL RasmusWL changed the title add some improvements to the bean validation query Java: add some improvements to the bean validation query Nov 6, 2020
Comment thread java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql Outdated
Comment thread java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql Outdated
Comment thread java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql Outdated
Comment thread java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql Outdated
Copy link
Copy Markdown
Collaborator

@adityasharad adityasharad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Structure looks good! Added suggestions for handling false negatives, as discussed separately.

Comment thread java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql Outdated
Comment thread java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql Outdated
Comment thread java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql Outdated
Copy link
Copy Markdown
Collaborator

@adityasharad adityasharad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. @aschackmull or @smowton do you have any further comments?

@smowton
Copy link
Copy Markdown
Contributor

smowton commented Nov 12, 2020

Nothing from me, but I don't have much of the background on this one

@pwntester
Copy link
Copy Markdown
Contributor Author

@aschackmull can we merge this one so we remove some relevant FPs? thanks!

@adityasharad adityasharad merged commit b9b6a35 into github:main Nov 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants