From ce443b61d1c3b0c63da9c1beca92da6786240936 Mon Sep 17 00:00:00 2001 From: kyle-semgrep Date: Wed, 19 Nov 2025 19:17:23 -0500 Subject: [PATCH 1/3] Downgrade requests package version to 2.26.1 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 9671482..e36d6bd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,7 @@ itsdangerous==2.0.1 Jinja2==3.0.1 lxml==4.8.0 MarkupSafe==2.0.1 -requests==2.27.1 +requests==2.26.1 urllib3==1.26.8 waitress==2.1.1 Werkzeug==2.0.1 From e1c1df2edede57b5f5232f10e1c2ed569db05acc Mon Sep 17 00:00:00 2001 From: kyle-semgrep Date: Thu, 11 Dec 2025 10:28:35 -0500 Subject: [PATCH 2/3] Add vulnerable servlet for testing code injection This servlet processes HTTP requests and evaluates scripts based on header input, which can lead to code injection vulnerabilities. --- vuln.java | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 vuln.java diff --git a/vuln.java b/vuln.java new file mode 100644 index 0000000..be01bd1 --- /dev/null +++ b/vuln.java @@ -0,0 +1,69 @@ + +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00006") +public class bad1 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00006") != null) { + param = request.getHeader("BenchmarkTest00006"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + ScriptEngineManager factory = new ScriptEngineManager(); + ScriptEngine engine = factory.getEngineByName("JavaScript"); + + String script = createTaintedScript(param); + + //ruleid: tainted-code-injection-from-http-request + engine.eval(script); //Bad things can happen here. + + String script2 = "this is a hardcoded script"; + // ok: tainted-code-injection-from-http-request + engine.eval(script2); //Bad things can happen here. + + FacesContext context = FacesContext.getCurrentInstance(); + ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory(); + ELContext elContext = context.getELContext(); + //ruleid: tainted-code-injection-from-http-request + ValueExpression vex = expressionFactory.createValueExpression(elContext, "expression" + param, String.class); + + String result = evaluateExpression("expression" + param); + + } + + public String createTaintedScript(String param){ + return "this is some script" + param; + } + + public String evaluateExpression(String expression) { + FacesContext context = FacesContext.getCurrentInstance(); + ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory(); + ELContext elContext = context.getELContext(); + // proruleid: tainted-code-injection-from-http-request + ValueExpression vex = expressionFactory.createValueExpression(elContext, expression, String.class); + return (String) vex.getValue(elContext); + } From 1ae1bde6894553ba6827a27c75bdf8aac57f6495 Mon Sep 17 00:00:00 2001 From: kyle-semgrep Date: Thu, 11 Dec 2025 11:46:24 -0500 Subject: [PATCH 3/3] Add vulnerable servlet for tainted code injection --- java1.vuln | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 java1.vuln diff --git a/java1.vuln b/java1.vuln new file mode 100644 index 0000000..be01bd1 --- /dev/null +++ b/java1.vuln @@ -0,0 +1,69 @@ + +package org.owasp.benchmark.testcode; + +import java.io.IOException; +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +@WebServlet(value = "/cmdi-00/BenchmarkTest00006") +public class bad1 extends HttpServlet { + + private static final long serialVersionUID = 1L; + + @Override + public void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + doPost(request, response); + } + + @Override + public void doPost(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + // some code + response.setContentType("text/html;charset=UTF-8"); + + String param = ""; + if (request.getHeader("BenchmarkTest00006") != null) { + param = request.getHeader("BenchmarkTest00006"); + } + + // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter(). + param = java.net.URLDecoder.decode(param, "UTF-8"); + + ScriptEngineManager factory = new ScriptEngineManager(); + ScriptEngine engine = factory.getEngineByName("JavaScript"); + + String script = createTaintedScript(param); + + //ruleid: tainted-code-injection-from-http-request + engine.eval(script); //Bad things can happen here. + + String script2 = "this is a hardcoded script"; + // ok: tainted-code-injection-from-http-request + engine.eval(script2); //Bad things can happen here. + + FacesContext context = FacesContext.getCurrentInstance(); + ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory(); + ELContext elContext = context.getELContext(); + //ruleid: tainted-code-injection-from-http-request + ValueExpression vex = expressionFactory.createValueExpression(elContext, "expression" + param, String.class); + + String result = evaluateExpression("expression" + param); + + } + + public String createTaintedScript(String param){ + return "this is some script" + param; + } + + public String evaluateExpression(String expression) { + FacesContext context = FacesContext.getCurrentInstance(); + ExpressionFactory expressionFactory = context.getApplication().getExpressionFactory(); + ELContext elContext = context.getELContext(); + // proruleid: tainted-code-injection-from-http-request + ValueExpression vex = expressionFactory.createValueExpression(elContext, expression, String.class); + return (String) vex.getValue(elContext); + }