Expression Language Injection
Description
This rule identifies potential Expression Language (EL) injection vulnerabilities within Java applications. The rule targets use of `createValueExpression`, `createMethodExpression`, `ELProcessor.eval`, `getValue`, and `setValue` methods, particularly when input to these methods is not a hardcoded string, indicating dynamic evaluation of potentially untrusted input.
Examples
Insecure Code
java
Secure Code
java
import javax.el.ELProcessor;
import java.util.Set;
public class SafeELHandling {
private static final Set<String> ALLOWED_VALUES = Set.of("value1", "value2", "value3");
public void processInput(String userInput) {
// Validate user input against the allowlist
if (!ALLOWED_VALUES.contains(userInput)) {
throw new IllegalArgumentException("Invalid input");
}
ELProcessor elProcessor = new ELProcessor();
elProcessor.defineBean("userInput", userInput);
// Example EL expression using the safe, predefined input
String result = (String) elProcessor.eval(userInput);
}
}Remediation
Validate user input against a whitelist and avoid calling these methods directly with user-supplied input. Consider alternate methods such as a lookup table to take user input and resolve hardcoded values.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0706 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-917 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | EL Injection, Expression Language Injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |