javax.script package consists of interfaces and classes that define Java scripting engines and a framework for the use of those interfaces and classes in Java code. Misuse of the
javax.script API permits an attacker to execute arbitrary code on the target system.
This guideline is a specific instance of IDS00-J. Prevent SQL injection.
Noncompliant Code Example
The script in this example prints
and then writes
to a configuration file called
config.cfg. An actual exploit can execute arbitrary code.
Compliant Solution (Whitelisting)
The best defense against code injection vulnerabilities is to prevent the inclusion of executable user input in code. User input used in dynamic code must be sanitized, for example, to ensure that it contains only valid, whitelisted characters. Sanitization is best performed immediately after the data has been input, using methods from the data abstraction used to store and process the data. Refer to IDS00-J. Sanitize untrusted data passed across a trust boundary for more details. If special characters must be permitted in the name, they must be normalized before comparison with their equivalent forms for the purpose of input validation. This compliant solution uses whitelisting to prevent unsanitized input from being interpreted by the scripting engine.
Compliant Solution (Secure Sandbox)
An alternative approach is to create a secure sandbox using a security manager (see SEC54-J. Create a secure sandbox using a security manager.) The application should prevent the script from executing arbitrary commands, such as querying the local file system. The two-argument form of
doPrivileged() can be used to lower privileges when the application must operate with higher privileges, but the scripting engine must not. The
RestrictedAccessControlContext reduces the permissions granted in the default policy file to those of the newly created protection domain. The effective permissions are the intersection of the permissions of the newly created protection domain and the systemwide security policy. Refer to SEC50-J. Avoid granting excess privileges for more details on the two-argument form of
This compliant solution illustrates the use of an
AccessControlContext in the two-argument form of
This approach can be combined with whitelisting for additional security.
Failure to prevent code injection can result in the execution of arbitrary code.
|The Checker Framework|
|Tainting Checker||Trust and security errors (see Chapter 8)|