JAVA : Add query to detect Apache Structs enabled DEvmode

This query detects cases where the development mode is enabled for a
struts configuration. I can't find a CVE per se but, at present, [Github's fuzzy search](https://github.com/search?q=%3Cconstant+name%3D%22struts.devMode%22+value%3D%22true%22+%2F%3E+language%3Axml&type=Code) returns more
than 44000 results. Some of them look like they are classroom projects,
so they may be ineligible for a CVE. But we should be flagging them
anyways as setting the development on in a production system is a very
bad practice and can often lead to remote code execution.
So these should be fixed anyways.

Author: Porcupiney Hairs

java/ql/src/experimental/Security/CWE/CWE-489/StrutsBad.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+	"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+	"http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+    <constant name="struts.enable.DynamicMethodInvocation" value="true" />
+    <constant name="struts.devMode" value="true" />
+    <constant name="struts.i18n.encoding" value="utf-8" />
+    <include file="login.xml" />
+</struts>

java/ql/src/experimental/Security/CWE/CWE-489/StrutsGood.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+	"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+	"http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+    <constant name="struts.enable.DynamicMethodInvocation" value="true" />
+    <constant name="struts.devMode" value="false" />
+    <constant name="struts.i18n.encoding" value="utf-8"></constant>
+    <include file="login.xml" />
+</struts>

java/ql/src/experimental/Security/CWE/CWE-489/devMode.qhelp

@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Turning Apache Struts' development mode configuration on while deploying applications to production environments can lead to remote code execution.</p>
+
+</overview>
+<recommendation>
+
+<p>An application should disable the development mode at the time of deployment.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows a `struts.xml` file with `struts.devmode` enabled.</p>
+
+<sample src="strutsBad.xml" />
+
+<p>This can be easily corrected by setting the value of the `struts.devmode` parameter to false.</p>
+
+<sample src="structGood.xml" />
+
+</example>
+<references>
+
+<li>
+  Apache Struts:
+  <a href="https://struts.apache.org/core-developers/development-mode.html">Struts development mode configuration</a>
+</li>
+
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Apache Struts development mode enabled
+ * @description Enabling struts development mode in production environment
+ *  can lead to remote code execution.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/struts-development-mode
+ * @tags security
+ *       external/cwe/cwe-489
+ */
+
+import java
+import experimental.semmle.code.xml.StrutsXML
+
+bindingset[path]
+predicate isLikelyDemoProject(string path) { path.regexpMatch("(?i).*(demo|test|example).*") }
+
+from ConstantParameter c
+where
+  c.getNameValue() = "struts.devMode" and
+  c.getValueValue() = "true" and
+  not isLikelyDemoProject(c.getFile().getRelativePath())
+select c, "Enabling development mode in production environments is dangerous"

java/ql/src/experimental/semmle/code/xml/StrutsXML.qll

@@ -0,0 +1,41 @@
+import java
+
+/**
+ * A deployment descriptor file, typically called `struts.xml`.
+ */
+class StrutsXMLFile extends XMLFile {
+  StrutsXMLFile() {
+    count(XMLElement e | e = this.getAChild()) = 1 and
+    this.getAChild().getName() = "struts"
+  }
+}
+
+/**
+ * An XML element in a `StrutsXMLFile`.
+ */
+class StrutsXMLElement extends XMLElement {
+  StrutsXMLElement() { this.getFile() instanceof StrutsXMLFile }
+
+  /**
+   * Gets the value for this element, with leading and trailing whitespace trimmed.
+   */
+  string getValue() { result = allCharactersString().trim() }
+}
+
+/**
+ * A `<constant>` element in a `StrutsXMLFile`.
+ */
+class ConstantParameter extends StrutsXMLElement {
+  ConstantParameter() { this.getName() = "constant" }
+
+  /**
+   * Gets the value of the `name` attribute of this `<constant>`.
+   */
+  string getNameValue() { result = getAttributeValue("name") }
+
+  /**
+   * Gets the value of the `value` attribute of this `<constant>`.
+   */
+  string getValueValue() { result = getAttributeValue("value") }
+
+}

java/ql/test/experimental/query-tests/security/CWE-489/StrutsBad.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+	"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+	"http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+    <constant name="struts.enable.DynamicMethodInvocation" value="true" />
+    <constant name="struts.devMode" value="true" />
+    <constant name="struts.i18n.encoding" value="utf-8"></constant>
+    <include file="login.xml" />
+</struts>

java/ql/test/experimental/query-tests/security/CWE-489/StrutsGood.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+	"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+	"http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+    <constant name="struts.enable.DynamicMethodInvocation" value="true" />
+    <constant name="struts.devMode" value="false" />
+    <constant name="struts.i18n.encoding" value="utf-8"></constant>
+    <include file="login.xml" />
+</struts>

java/ql/test/experimental/query-tests/security/CWE-489/devMode.expected

@@ -0,0 +1 @@
+| StrutsBad.xml:8:5:8:52 | constant | Enabling development mode in production environments is dangerous |

java/ql/test/experimental/query-tests/security/CWE-489/devMode.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-489/devMode.ql