Expression Language Injection
Description
An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.
Examples
Insecure Code
scala
def vulnerableMethod(userInput: String) = { val expr = javax.el.ExpressionFactory.newInstance().createValueExpression(userInput, classOf[String]) }Secure Code
scala
def secureMethod(userInput: String) = { val sanitizedInput = userInput.replaceAll("[^a-zA-Z0-9]", ""); val expr = javax.el.ExpressionFactory.newInstance().createValueExpression(sanitizedInput, classOf[String]) }Remediation
Validate and sanitize user input before passing it to the createValueExpression or createMethodExpression methods.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0045 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-94 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | code injection, expression language |
| OWASP | N/A |