Skip to content

Commit 3d9ac0d

Browse files
committed
Add query for enterprise beans
1 parent e916ce8 commit 3d9ac0d

25 files changed

+2181
-3
lines changed
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
/**
2+
* @name Main Method in Enterprise Java Bean
3+
* @description Jave EE applications with a main method.
4+
* @kind problem
5+
* @id java/main-method-in-enterprise-bean
6+
* @tags security
7+
* external/cwe-489
8+
*/
9+
10+
import java
11+
import semmle.code.java.J2EE
12+
13+
/** The `main` method in an Enterprise Java Bean. */
14+
class EnterpriseBeanMainMethod extends Method {
15+
EnterpriseBeanMainMethod() {
16+
this.getDeclaringType() instanceof EnterpriseBean and
17+
this.hasName("main") and
18+
this.isStatic() and
19+
this.getReturnType() instanceof VoidType and
20+
this.isPublic() and
21+
this.getNumberOfParameters() = 1 and
22+
this.getParameter(0).getType() instanceof Array and
23+
not this.getDeclaringType().getName().toLowerCase().matches("%test%") and // Simple check to exclude test classes to reduce FPs
24+
not this.getDeclaringType().getPackage().getName().toLowerCase().matches("%test%") and // Simple check to exclude classes in test packages to reduce FPs
25+
not exists(this.getLocation().getFile().getAbsolutePath().indexOf("/src/test/java")) // Match test directory structure of build tools like maven
26+
}
27+
}
28+
29+
from EnterpriseBeanMainMethod sm
30+
select sm, "Java EE application has a main method."

java/ql/src/experimental/Security/CWE/CWE-489/ServletMain.qhelp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@
22
<qhelp>
33

44
<overview>
5-
<p>Debug code can create unintended entry points in a deployed web application therefore should never make into production. There is no reason to have a main method in a web application. Having a main method in a web application increases the attack surface that an attacker can exploit to attack the application logic.</p>
5+
<p>Debug code can create unintended entry points in a deployed Java EE web application therefore should never make into production. There is no reason to have a main method in a Java EE web application. Having a main method in the Java EE application increases the attack surface that an attacker can exploit to attack the application logic.</p>
66
</overview>
77

88
<recommendation>
9-
<p>Remove the main method from web components including servlets, filters and listeners.</p>
9+
<p>Remove the main method from web components including servlets, filters, and listeners, as well as enterprise beans.</p>
1010
</recommendation>
1111

1212
<example>
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
| ServiceBean.java:55:24:55:27 | main | Java EE application has a main method. |
Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
import javax.ejb.SessionBean;
2+
import javax.ejb.EJBException;
3+
import java.rmi.RemoteException;
4+
import javax.ejb.SessionContext;
5+
import javax.naming.Context;
6+
import javax.naming.InitialContext;
7+
8+
public class ServiceBean implements SessionBean {
9+
10+
protected SessionContext ctx;
11+
12+
private String _serviceName;
13+
14+
/**
15+
* Create the session bean (empty implementation)
16+
*/
17+
public void ejbCreate() throws javax.ejb.CreateException {
18+
System.out.println("ServiceBean:ejbCreate()");
19+
}
20+
21+
public void ejbActivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
22+
}
23+
24+
public void ejbPassivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
25+
}
26+
27+
public void ejbRemove() throws javax.ejb.EJBException, java.rmi.RemoteException {
28+
}
29+
30+
public void setSessionContext(SessionContext parm1) throws javax.ejb.EJBException, java.rmi.RemoteException {
31+
}
32+
33+
/**
34+
* Get service name
35+
* @return service name
36+
*/
37+
public String getServiceName() {
38+
return _serviceName;
39+
}
40+
41+
/**
42+
* Set service name
43+
* @param serviceName the service name
44+
*/
45+
public void setServiceName(String serviceName) {
46+
_serviceName = serviceName;
47+
}
48+
49+
/** Do service (no implementation) */
50+
public String doService() {
51+
return null;
52+
}
53+
54+
/** Local unit testing code */
55+
public static void main(String[] args) throws Exception {
56+
ServiceBean b = new ServiceBean();
57+
b.doService();
58+
}
59+
}
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
experimental/Security/CWE/CWE-489/EJBMain.ql
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
1+
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/ejb-3.2
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
/*
2+
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3+
*
4+
* Copyright (c) 1997-2018 Oracle and/or its affiliates. All rights reserved.
5+
*
6+
* The contents of this file are subject to the terms of either the GNU
7+
* General Public License Version 2 only ("GPL") or the Common Development
8+
* and Distribution License("CDDL") (collectively, the "License"). You
9+
* may not use this file except in compliance with the License. You can
10+
* obtain a copy of the License at
11+
* https://oss.oracle.com/licenses/CDDL+GPL-1.1
12+
* or LICENSE.txt. See the License for the specific
13+
* language governing permissions and limitations under the License.
14+
*
15+
* When distributing the software, include this License Header Notice in each
16+
* file and include the License file at LICENSE.txt.
17+
*
18+
* GPL Classpath Exception:
19+
* Oracle designates this particular file as subject to the "Classpath"
20+
* exception as provided by Oracle in the GPL Version 2 section of the License
21+
* file that accompanied this code.
22+
*
23+
* Modifications:
24+
* If applicable, add the following below the License Header, with the fields
25+
* enclosed by brackets [] replaced by your own identifying information:
26+
* "Portions Copyright [year] [name of copyright owner]"
27+
*
28+
* Contributor(s):
29+
* If you wish your version of this file to be governed by only the CDDL or
30+
* only the GPL Version 2, indicate your decision by adding "[Contributor]
31+
* elects to include this software in this distribution under the [CDDL or GPL
32+
* Version 2] license." If you don't indicate a single choice of license, a
33+
* recipient has the option to distribute your version of this file under
34+
* either the CDDL, the GPL Version 2 or to extend the choice of license to
35+
* its licensees as provided above. However, if you add GPL Version 2 code
36+
* and therefore, elected the GPL Version 2 license, then the option applies
37+
* only if the new code is made subject to such option by the copyright
38+
* holder.
39+
*/
40+
41+
package javax.ejb;
42+
43+
/**
44+
* The CreateException exception must be included in the throws clauses of
45+
* all create methods defined in an enterprise bean's home or local home
46+
* interface.
47+
*
48+
* <p> This exception is used as a standard application-level exception to
49+
* report a failure to create an EJB object or local object.
50+
*
51+
* @since EJB 1.0
52+
*/
53+
public class CreateException extends java.lang.Exception {
54+
55+
private static final long serialVersionUID = 6295951740865457514L;
56+
57+
/**
58+
* Constructs a CreateException with no detail message.
59+
*/
60+
public CreateException() {
61+
}
62+
63+
/**
64+
* Constructs a CreateException with the specified
65+
* detail message.
66+
*/
67+
public CreateException(String message) {
68+
super(message);
69+
}
70+
}
71+
Lines changed: 133 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,133 @@
1+
/*
2+
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3+
*
4+
* Copyright (c) 1997-2018 Oracle and/or its affiliates. All rights reserved.
5+
*
6+
* The contents of this file are subject to the terms of either the GNU
7+
* General Public License Version 2 only ("GPL") or the Common Development
8+
* and Distribution License("CDDL") (collectively, the "License"). You
9+
* may not use this file except in compliance with the License. You can
10+
* obtain a copy of the License at
11+
* https://oss.oracle.com/licenses/CDDL+GPL-1.1
12+
* or LICENSE.txt. See the License for the specific
13+
* language governing permissions and limitations under the License.
14+
*
15+
* When distributing the software, include this License Header Notice in each
16+
* file and include the License file at LICENSE.txt.
17+
*
18+
* GPL Classpath Exception:
19+
* Oracle designates this particular file as subject to the "Classpath"
20+
* exception as provided by Oracle in the GPL Version 2 section of the License
21+
* file that accompanied this code.
22+
*
23+
* Modifications:
24+
* If applicable, add the following below the License Header, with the fields
25+
* enclosed by brackets [] replaced by your own identifying information:
26+
* "Portions Copyright [year] [name of copyright owner]"
27+
*
28+
* Contributor(s):
29+
* If you wish your version of this file to be governed by only the CDDL or
30+
* only the GPL Version 2, indicate your decision by adding "[Contributor]
31+
* elects to include this software in this distribution under the [CDDL or GPL
32+
* Version 2] license." If you don't indicate a single choice of license, a
33+
* recipient has the option to distribute your version of this file under
34+
* either the CDDL, the GPL Version 2 or to extend the choice of license to
35+
* its licensees as provided above. However, if you add GPL Version 2 code
36+
* and therefore, elected the GPL Version 2 license, then the option applies
37+
* only if the new code is made subject to such option by the copyright
38+
* holder.
39+
*/
40+
41+
package javax.ejb;
42+
43+
import java.lang.annotation.Target;
44+
import static java.lang.annotation.ElementType.*;
45+
import java.lang.annotation.Retention;
46+
import static java.lang.annotation.RetentionPolicy.*;
47+
48+
/**
49+
* Indicates a dependency on the local, no-interface, or remote view of an Enterprise
50+
* JavaBean.
51+
* <p>
52+
* Either the <code>beanName</code> or the <code>lookup</code> element can
53+
* be used to resolve the EJB dependency to its target session bean component.
54+
* It is an error to specify values for both <code>beanName</code> and
55+
* <code>lookup</code>.
56+
* <p>
57+
* If no explicit linking information is provided and there is only one session
58+
* bean within the same application that exposes the matching client view type,
59+
* by default the EJB dependency resolves to that session bean.
60+
*
61+
* @since EJB 3.0
62+
*/
63+
64+
@Target({TYPE, METHOD, FIELD})
65+
@Retention(RUNTIME)
66+
public @interface EJB {
67+
68+
/**
69+
* The logical name of the ejb reference within the declaring component's
70+
* (e.g., java:comp/env) environment.
71+
*/
72+
String name() default "";
73+
74+
/**
75+
* A string describing the bean.
76+
*/
77+
String description() default "";
78+
79+
/**
80+
* The <code>beanName</code> element references the value of the <code>name</code>
81+
* element of the <code>Stateful</code> or <code>Stateless</code> annotation,
82+
* whether defaulted or explicit. If the deployment descriptor was used to define
83+
* the name of the bean, the <code>beanName</code> element references the
84+
* <code>ejb-name</code> element of the bean definition.
85+
* <p>
86+
* The <code>beanName</code> element allows disambiguation if multiple session
87+
* beans in the ejb-jar implement the same interface.
88+
* <p>
89+
* In order to reference a bean in another ejb-jar file in the same application,
90+
* the <code>beanName</code> may be composed of a path name specifying the ejb-jar
91+
* containing the referenced bean with the bean name of the target bean appended and
92+
* separated from the path name by &#35;. The path name is relative to the jar file
93+
* containing the component that is referencing the target bean.
94+
* <p>
95+
* Only applicable if the target EJB is defined within the
96+
* same application or stand-alone module as the declaring component.
97+
*/
98+
String beanName() default "";
99+
100+
/**
101+
* The interface type of the Enterprise Java Bean to which this reference
102+
* is mapped.
103+
* <p>
104+
* Holds one of the following types of the target EJB :
105+
* <ul>
106+
* <li> Local business interface
107+
* <li> Bean class (for no-interface view)
108+
* <li> Remote business interface
109+
* <li> Local Home interface
110+
* <li> Remote Home interface
111+
* </ul>
112+
*/
113+
Class beanInterface() default Object.class;
114+
115+
/**
116+
* The product specific name of the EJB component to which this
117+
* ejb reference should be mapped. This mapped name is often a
118+
* global JNDI name, but may be a name of any form.
119+
* <p>
120+
* Application servers are not required to support any particular
121+
* form or type of mapped name, nor the ability to use mapped names.
122+
* The mapped name is product-dependent and often installation-dependent.
123+
* No use of a mapped name is portable.
124+
*/
125+
String mappedName() default "";
126+
127+
/**
128+
* A portable lookup string containing the JNDI name for the target EJB component.
129+
*
130+
* @since EJB 3.1
131+
*/
132+
String lookup() default "";
133+
}

0 commit comments

Comments
 (0)