Add query for enterprise beans

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql

@@ -0,0 +1,30 @@
+/**
+ * @name Main Method in Enterprise Java Bean
+ * @description Jave EE applications with a main method.
+ * @kind problem
+ * @id java/main-method-in-enterprise-bean
+ * @tags security
+ *       external/cwe-489
+ */
+
+import java
+import semmle.code.java.J2EE
+
+/** The `main` method in an Enterprise Java Bean. */
+class EnterpriseBeanMainMethod extends Method {
+  EnterpriseBeanMainMethod() {
+    this.getDeclaringType() instanceof EnterpriseBean and
+    this.hasName("main") and
+    this.isStatic() and
+    this.getReturnType() instanceof VoidType and
+    this.isPublic() and
+    this.getNumberOfParameters() = 1 and
+    this.getParameter(0).getType() instanceof Array and
+    not this.getDeclaringType().getName().toLowerCase().matches("%test%") and // Simple check to exclude test classes to reduce FPs
+    not this.getDeclaringType().getPackage().getName().toLowerCase().matches("%test%") and // Simple check to exclude classes in test packages to reduce FPs
+    not exists(this.getLocation().getFile().getAbsolutePath().indexOf("/src/test/java")) //  Match test directory structure of build tools like maven
+  }
+}
+
+from EnterpriseBeanMainMethod sm
+select sm, "Java EE application has a main method."

java/ql/src/experimental/Security/CWE/CWE-489/ServletMain.qhelp

@@ -2,11 +2,11 @@
 <qhelp>
 
   <overview>
-    <p>Debug code can create unintended entry points in a deployed web application therefore should never make into production. There is no reason to have a main method in a web application. Having a main method in a web application increases the attack surface that an attacker can exploit to attack the application logic.</p>
+    <p>Debug code can create unintended entry points in a deployed Java EE web application therefore should never make into production. There is no reason to have a main method in a Java EE web application. Having a main method in the Java EE application increases the attack surface that an attacker can exploit to attack the application logic.</p>
   </overview>
 
   <recommendation>
-    <p>Remove the main method from web components including servlets, filters and listeners.</p>
+    <p>Remove the main method from web components including servlets, filters, and listeners, as well as enterprise beans.</p>
   </recommendation>
 
   <example>

java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.expected

@@ -0,0 +1 @@
+| ServiceBean.java:55:24:55:27 | main | Java EE application has a main method. |

java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.java

@@ -0,0 +1,59 @@
+import javax.ejb.SessionBean;
+import javax.ejb.EJBException;
+import java.rmi.RemoteException;
+import javax.ejb.SessionContext;
+import javax.naming.Context;
+import javax.naming.InitialContext;
+
+public class ServiceBean implements SessionBean {
+
+    protected SessionContext ctx;
+
+    private String _serviceName;
+
+    /**
+     * Create the session bean (empty implementation)
+     */
+    public void ejbCreate() throws javax.ejb.CreateException {
+        System.out.println("ServiceBean:ejbCreate()");
+    }
+
+    public void ejbActivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbPassivate() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void ejbRemove() throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    public void setSessionContext(SessionContext parm1) throws javax.ejb.EJBException, java.rmi.RemoteException {
+    }
+
+    /**
+     * Get service name
+     * @return service name
+     */
+    public String getServiceName() {
+        return _serviceName;
+    }
+
+    /**
+     * Set service name
+     * @param serviceName the service name
+     */
+    public void setServiceName(String serviceName) {
+        _serviceName = serviceName;
+    }
+
+    /** Do service (no implementation) */
+    public String doService() {
+        return null;
+    }
+
+    /** Local unit testing code */
+    public static void main(String[] args) throws Exception {
+        ServiceBean b = new ServiceBean();
+        b.doService();
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-489/EJBMain.ql

java/ql/test/experimental/query-tests/security/CWE-489/options

@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/ejb-3.2

java/ql/test/stubs/ejb-3.2/javax/ejb/CreateException.java

@@ -0,0 +1,71 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 1997-2018 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://oss.oracle.com/licenses/CDDL+GPL-1.1
+ * or LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package javax.ejb;
+
+/**
+ * The CreateException exception must be included in the throws clauses of
+ * all create methods defined in an enterprise bean's home or local home
+ * interface. 
+ *
+ * <p> This exception is used as a standard application-level exception to
+ * report a failure to create an EJB object or local object.
+ *
+ * @since EJB 1.0
+ */
+public class CreateException extends java.lang.Exception {
+
+    private static final long serialVersionUID = 6295951740865457514L;
+
+    /**
+     * Constructs a CreateException with no detail message.
+     */  
+    public CreateException() {
+    }
+
+    /**
+     * Constructs a CreateException with the specified
+     * detail message.
+     */  
+    public CreateException(String message) {
+        super(message);
+    }
+}
+

java/ql/test/stubs/ejb-3.2/javax/ejb/EJB.java

@@ -0,0 +1,133 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 1997-2018 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://oss.oracle.com/licenses/CDDL+GPL-1.1
+ * or LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package javax.ejb;
+
+import java.lang.annotation.Target;
+import static java.lang.annotation.ElementType.*;
+import java.lang.annotation.Retention;
+import static java.lang.annotation.RetentionPolicy.*;
+
+/**
+ * Indicates a dependency on the local, no-interface, or remote view of an Enterprise
+ * JavaBean.
+ * <p>
+ * Either the <code>beanName</code> or the <code>lookup</code> element can 
+ * be used to resolve the EJB dependency to its target session bean component.  
+ * It is an error to specify values for both <code>beanName</code> and 
+ * <code>lookup</code>.
+ * <p>
+ * If no explicit linking information is provided and there is only one session
+ * bean within the same application that exposes the matching client view type,
+ * by default the EJB dependency resolves to that session bean.
+ *
+ * @since EJB 3.0
+ */
+
+@Target({TYPE, METHOD, FIELD})
+@Retention(RUNTIME)
+public @interface EJB {
+
+    /**
+     * The logical name of the ejb reference within the declaring component's
+     * (e.g., java:comp/env) environment.
+     */
+    String name() default "";
+
+    /**
+     * A string describing the bean.
+     */
+    String description() default "";
+
+    /**
+     * The <code>beanName</code> element references the value of the <code>name</code> 
+     * element of the <code>Stateful</code> or <code>Stateless</code> annotation, 
+     * whether defaulted or explicit. If the deployment descriptor was used to define 
+     * the name of the bean, the <code>beanName</code> element references the 
+     * <code>ejb-name</code> element of the bean definition.
+     * <p>
+     * The <code>beanName</code> element allows disambiguation if multiple session 
+     * beans in the ejb-jar implement the same interface. 
+     * <p>
+     * In order to reference a bean in another ejb-jar file in the same application, 
+     * the <code>beanName</code> may be composed of a path name specifying the ejb-jar 
+     * containing the referenced bean with the bean name of the target bean appended and 
+     * separated from the path name by &#35;. The path name is relative to the jar file 
+     * containing the component that is referencing the target bean.
+     * <p>
+     * Only applicable if the target EJB is defined within the 
+     * same application or stand-alone module as the declaring component.
+     */
+    String beanName() default "";
+
+    /**
+     * The interface type of the Enterprise Java Bean to which this reference
+     * is mapped.
+     * <p>
+     * Holds one of the following types of the target EJB :
+     * <ul>
+     * <li> Local business interface
+     * <li> Bean class (for no-interface view)
+     * <li> Remote business interface
+     * <li> Local Home interface
+     * <li> Remote Home interface
+     * </ul>
+     */
+    Class beanInterface() default Object.class;
+
+    /**
+     * The product specific name of the EJB component to which this
+     * ejb reference should be mapped.  This mapped name is often a
+     * global JNDI name, but may be a name of any form. 
+     * <p>
+     * Application servers are not required to support any particular 
+     * form or type of mapped name, nor the ability to use mapped names. 
+     * The mapped name is product-dependent and often installation-dependent. 
+     * No use of a mapped name is portable. 
+     */ 
+    String mappedName() default "";
+
+    /**
+     * A portable lookup string containing the JNDI name for the target EJB component. 
+     *
+     * @since EJB 3.1
+     */ 
+    String lookup() default "";
+}