Merge pull request #3839 from luchua-bc/uncaught-servlet-exception

aschackmull · web-flow · commit 0cc324b715c9 · 2020-12-02T15:12:59.000+01:00
Java: Uncaught servlet exception
diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.java b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.java
@@ -0,0 +1,38 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+class UncaughtServletException extends HttpServlet {
+    // BAD: Uncaught exceptions
+    {
+        public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+            String ip = request.getParameter("srcIP");
+            InetAddress addr = InetAddress.getByName(ip); //BAD: getByName(String) throws UnknownHostException.
+
+            String username = request.getRemoteUser();
+            Integer.parseInt(username); //BAD: Integer.parse(String) throws RuntimeException.
+        }
+    }
+
+    // GOOD
+    {
+        public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+            try {
+                String ip = request.getParameter("srcIP");
+                InetAddress addr = InetAddress.getByName(ip);
+            } catch (UnknownHostException uhex) {  //GOOD: Catch the subclass exception UnknownHostException of IOException.
+                uhex.printStackTrace();
+            }
+        }
+    }
+
+    // GOOD
+    {
+        public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+            String ip = "10.100.10.81";
+            InetAddress addr = InetAddress.getByName(ip); // OK: Hard-coded variable value or system property is not controlled by attacker.
+        }
+    }
+
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp
@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Even though the request-handling methods of <code>Servlet</code> are declared <code>throws IOException, ServletException</code>, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in an unexpected state, possibly resulting in denial-of-service attacks, or could lead to exposure of sensitive information because when a servlet throws an exception, the servlet container typically sends debugging information back to the user. That information could be valuable to an attacker.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      Catch IOExceptions and/or RuntimeExceptions and display custom error messages without stack traces and sensitive information, or configure an <code>error-page</code> in web.xml to display a generic user-friendly message for any uncaught exception.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      In the first and second examples, subclasses of IOException and RuntimeException are not caught, which disclose stack traces. Because user-controlled data is passed to methods that throw, there is an opportunity for an attacker to provoke a stack dump.
+    </p>
+
+    <p>
+      In the third example, the code catches the exception. In the fourth example, the code is not of concern since the variable cannot be controlled by attackers thus no unexpected exceptions can be thrown.
+    </p>
+    <sample src="UncaughtServletException.java" />
+  </example>
+
+  <references>
+    <li>
+      CWE:
+      <a href="https://cwe.mitre.org/data/definitions/600.html">CWE-600: Uncaught Exception in Servlet</a>
+    </li>
+    <li>
+      SonarSource:
+      <a href="https://rules.sonarsource.com/java/tag/owasp/RSPEC-1989">Exceptions should not be thrown from servlet methods</a>
+    </li>
+    <li>
+      OWASP:
+      <a href="https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html">Error Handling Cheat Sheet</a>
+    </li>
+  </references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
@@ -0,0 +1,74 @@
+/**
+ * @name Uncaught Servlet Exception
+ * @description Uncaught exceptions in a servlet could leave a system in an unexpected state, possibly resulting in denial-of-service attacks or the exposure of sensitive information disclosed in stack traces.
+ * @kind path-problem
+ * @id java/uncaught-servlet-exception
+ * @tags security
+ *       external/cwe-600
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.Servlets
+import semmle.code.xml.WebXML
+import DataFlow::PathGraph
+
+/** Holds if a given exception type is caught. */
+private predicate exceptionIsCaught(TryStmt t, RefType exType) {
+  exists(CatchClause cc, LocalVariableDeclExpr v |
+    t.getACatchClause() = cc and
+    cc.getVariable() = v and
+    v.getType().(RefType).getASubtype*() = exType and // Detect the case that a subclass exception is thrown but its parent class is declared in the catch clause.
+    not exists(
+      ThrowStmt ts // Detect the edge case that exception is caught then rethrown without processing in a catch clause
+    |
+      ts.getEnclosingStmt() = cc.getBlock() and
+      ts.getExpr() = v.getAnAccess()
+    )
+  )
+}
+
+/** Servlet methods of `javax.servlet.http.Servlet` and subtypes. */
+private predicate isServletMethod(Callable c) {
+  c.getDeclaringType() instanceof ServletClass and
+  c.getNumberOfParameters() = 2 and
+  c.getParameter(1).getType() instanceof ServletResponse and
+  c.getName() in [
+      "doGet", "doPost", "doPut", "doDelete", "doHead", "doOptions", "doTrace", "service"
+    ]
+}
+
+/** Holds if `web.xml` has an error page configured. */
+private predicate hasErrorPage() {
+  exists(WebErrorPage wep | wep.getPageLocation().getValue() != "")
+}
+
+/** Sink of uncaught exceptions, which shall be IO exceptions or runtime exceptions since other exception types must be explicitly caught. */
+class UncaughtServletExceptionSink extends DataFlow::ExprNode {
+  UncaughtServletExceptionSink() {
+    exists(Method m, MethodAccess ma | ma.getMethod() = m |
+      isServletMethod(ma.getEnclosingCallable()) and
+      exists(m.getAThrownExceptionType()) and // The called method might plausibly throw an exception.
+      ma.getAnArgument() = this.getExpr() and
+      not exists(TryStmt t |
+        t.getBlock() = ma.getAnEnclosingStmt() and
+        exceptionIsCaught(t, m.getAThrownExceptionType())
+      )
+    )
+  }
+}
+
+/** Taint configuration of uncaught exceptions caused by user provided data from `RemoteFlowSource` */
+class UncaughtServletExceptionConfiguration extends TaintTracking::Configuration {
+  UncaughtServletExceptionConfiguration() { this = "UncaughtServletException" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UncaughtServletExceptionSink }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, UncaughtServletExceptionConfiguration c
+where c.hasFlowPath(source, sink) and not hasErrorPage()
+select sink.getNode(), source, sink, "$@ flows to here and can throw uncaught exception.",
+  source.getNode(), "User-provided value"
diff --git a/java/ql/src/semmle/code/xml/WebXML.qll b/java/ql/src/semmle/code/xml/WebXML.qll
@@ -130,3 +130,40 @@ class WebListenerClass extends WebXMLElement {
    */
   Class getClass() { result.getQualifiedName() = getValue() }
 }
+
+/**
+ * An `<error-page>` element in a `web.xml` file.
+ */
+class WebErrorPage extends WebXMLElement {
+  WebErrorPage() { this.getName() = "error-page" }
+
+  /**
+   * Gets the `<exception-type>` element of this `<error-page>`.
+   */
+  WebErrorPageType getPageType() { result = getAChild() }
+
+  /**
+   * Gets the `<location>` element of this `<error-page>`.
+   */
+  WebErrorPageLocation getPageLocation() { result = getAChild() }
+}
+
+/**
+ * An `<exception-type>` element in a `web.xml` file, nested under an `<error-page>` element.
+ */
+class WebErrorPageType extends WebXMLElement {
+  WebErrorPageType() {
+    getName() = "exception-type" and
+    getParent() instanceof WebErrorPage
+  }
+}
+
+/**
+ * A `<location>` element in a `web.xml` file, nested under an `<error-page>` element.
+ */
+class WebErrorPageLocation extends WebXMLElement {
+  WebErrorPageLocation() {
+    getName() = "location" and
+    getParent() instanceof WebErrorPage
+  }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.expected
@@ -0,0 +1,19 @@
+edges
+| UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip |
+| UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId |
+| UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip |
+| UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) : String | UncaughtServletException.java:76:22:76:27 | userId |
+nodes
+| UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UncaughtServletException.java:14:44:14:45 | ip | semmle.label | ip |
+| UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
+| UncaughtServletException.java:17:20:17:25 | userId | semmle.label | userId |
+| UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UncaughtServletException.java:55:45:55:46 | ip | semmle.label | ip |
+| UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) : String | semmle.label | getRemoteUser(...) : String |
+| UncaughtServletException.java:76:22:76:27 | userId | semmle.label | userId |
+#select
+| UncaughtServletException.java:14:44:14:45 | ip | UncaughtServletException.java:13:15:13:43 | getParameter(...) : String | UncaughtServletException.java:14:44:14:45 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:13:15:13:43 | getParameter(...) | User-provided value |
+| UncaughtServletException.java:17:20:17:25 | userId | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) : String | UncaughtServletException.java:17:20:17:25 | userId | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:16:19:16:41 | getRemoteUser(...) | User-provided value |
+| UncaughtServletException.java:55:45:55:46 | ip | UncaughtServletException.java:54:16:54:44 | getParameter(...) : String | UncaughtServletException.java:55:45:55:46 | ip | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:54:16:54:44 | getParameter(...) | User-provided value |
+| UncaughtServletException.java:76:22:76:27 | userId | UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) : String | UncaughtServletException.java:76:22:76:27 | userId | $@ flows to here and can throw uncaught exception. | UncaughtServletException.java:75:21:75:43 | getRemoteUser(...) | User-provided value |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java
@@ -0,0 +1,106 @@
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+class UncaughtServletException extends HttpServlet {
+	// BAD - Tests `doGet` without catching exceptions.
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String ip = request.getParameter("srcIP");
+		InetAddress addr = InetAddress.getByName(ip);  // getByName(String) throws UnknownHostException
+
+		String userId = request.getRemoteUser();
+		Integer.parseInt(userId);  // Integer.parse(String) throws RuntimeException
+	}
+
+	// GOOD - Tests `doPost` with catching exceptions.
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+
+			String userId = request.getRemoteUser();
+			Integer.parseInt(userId);  // Integer.parse(String) throws RuntimeException
+		} catch (UnknownHostException uhex) {
+			uhex.printStackTrace();
+		} catch (RuntimeException re) {
+			re.printStackTrace();	
+		}
+	}
+
+	// GOOD - Tests `doPut` without user provided data and without catching exceptions.
+	public void doPut(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		String ip = "10.100.10.81";
+		InetAddress addr = InetAddress.getByName(ip); // GOOD: hard-coded variable value or system property not controlled by attacker
+	}
+
+	// GOOD - Tests rethrowing caught exceptions without stack trace, which the typical programming practice.
+	public void doDelete(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			throw new IOException("Host not found "+uhex.getMessage());
+		}
+	}
+
+	// BAD - Tests rethrowing caught exceptions with stack trace.
+	public void doOptions(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			uhex.printStackTrace();
+			throw uhex;
+		}
+	}
+
+	// GOOD - Tests invoking another top-level method.
+	public void doHead(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		doGet(request, response);
+	}
+
+	// BAD - Tests nested try-blocks without catching runtime exceptions.
+	public void service(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = null;
+			try {
+				addr = InetAddress.getByName(ip);
+
+				String userId = request.getRemoteUser();
+				Integer.parseInt(userId);  // Integer.parse(String) throws RuntimeException		
+			} catch (UnknownHostException uhex) {
+				throw new UnknownHostException("Got exception "+uhex.getMessage());
+			}
+		} catch (IOException ie) {
+			ie.printStackTrace();
+		}
+	}
+
+	// GOOD - Tests nested try-blocks with catching all exceptions.
+	public void doTrace(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			try {
+				String ip = request.getParameter("srcIP");
+				InetAddress addr = null;
+				try {
+					addr = InetAddress.getByName(ip);
+
+					String userId = request.getRemoteUser();
+					Integer.parseInt(userId);  // Integer.parse(String) throws RuntimeException		
+				} catch (UnknownHostException uhex) {
+					throw new UnknownHostException("Got exception "+uhex.getMessage());
+				}
+			} catch (IOException ie) {
+				ie.printStackTrace();
+			}
+		} catch (RuntimeException re) {
+			re.printStackTrace();
+		}
+	}	
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.qlref b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-600/UncaughtServletException.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException2.java b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException2.java
@@ -0,0 +1,59 @@
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+
+class UncaughtServletException2 extends HttpServlet {
+	// BAD - Tests rethrowing caught exceptions with stack trace using `initCause(...)`
+	// Note this special case is not being handled by the query since in 99% of cases we're looking for `catch(Exception e) { ... throw e; }`
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			IOException ioException = new IOException();
+			ioException.initCause(uhex);
+			throw ioException;
+		}
+	}
+
+	// BAD - Tests rethrowing caught exceptions with stack trace using the same exception variable.
+	// Note this special case is not being handled by the query since in 99% of cases we're looking for `catch(Exception e) { ... throw e; }`
+	public void doHead(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			throw new IOException(uhex);
+		}
+	}
+
+	// BAD - Tests rethrowing caught exceptions with stack trace  using `addSuppressed(...)`.
+	// Note this special case is not being handled by the query since in 99% of cases we're looking for `catch(Exception e) { ... throw e; }`
+	public void doTrace(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			IOException ioException = new IOException();
+			ioException.addSuppressed(uhex);
+			throw ioException;
+		}
+	}
+
+	// BAD - Tests rethrowing caught exceptions with stack trace using `initCause(...)`
+	// Note this special case is not being handled by the query since in 99% of cases we're looking for `catch(Exception e) { ... throw e; }`
+	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+		try {
+			String ip = request.getParameter("srcIP");
+			InetAddress addr = InetAddress.getByName(ip);
+		} catch (UnknownHostException uhex) {
+			IOException ioException = new IOException();
+			throw new IOException(ioException.initCause(uhex));
+		}
+	}
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/options b/java/ql/test/experimental/query-tests/security/CWE-600/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/web.xml b/java/ql/test/experimental/query-tests/security/CWE-600/web.xml
diff --git a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/GenericServlet.java b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/GenericServlet.java
diff --git a/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/HttpServlet.java b/java/ql/test/stubs/servlet-api-2.4/javax/servlet/http/HttpServlet.java

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+experimental/Security/CWE/CWE-600/UncaughtServletException.ql`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4`