Expression injection (OGNL)
Description
The Object Graph Navigation Language (OGNL) is an expression language that allows access to Java objects and properties stored in an ActionContext. Usage of these low-level functions is discouraged because they can effectively execute strings as code, leading to remote code execution vulnerabilities. Consider using struts tags when processing user-supplied input and templates.
Examples
Insecure Code
java
TextParseUtil.translateVariables(userInput);Secure Code
java
use struts tags for user input processingRemediation
Avoid using OGNL packages with user-supplied input. Instead, use struts tags for processing user input and templates.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0711 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-917 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | injection, ognl, struts |
| OWASP | A1:2017-Injection, A03:2021-Injection |