Expression language injection (MVEL)¶
ID: java/mvel-expression-injectionKind: path-problemSecurity severity: 9.3Severity: errorPrecision: highTags: - security - external/cwe/cwe-094Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
MVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.
Recommendation¶
Including user input in a MVEL expression should be avoided.
Example¶
In the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.
publicvoidevaluate(Socketsocket)throwsIOException{try(BufferedReaderreader=newBufferedReader(newInputStreamReader(socket.getInputStream()))){Stringexpression=reader.readLine();// BAD: the user-provided expression is directly evaluatedMVEL.eval(expression);}}publicvoidsafeEvaluate(Socketsocket)throwsIOException{try(BufferedReaderreader=newBufferedReader(newInputStreamReader(socket.getInputStream()))){Stringexpression=reader.readLine();// GOOD: the user-provided expression is validated before evaluationvalidateExpression(expression);MVEL.eval(expression);}}privatevoidvalidateExpression(Stringexpression){// Validate that the expression does not contain unexpected code.// For instance, this can be done with allow-lists or deny-lists of code patterns.}
References¶
MVEL Documentation:Language Guide for 2.0.
Common Weakness Enumeration:CWE-94.