-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathMvelInjection.qhelp
More file actions
40 lines (36 loc) · 1.11 KB
/
MvelInjection.qhelp
File metadata and controls
40 lines (36 loc) · 1.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
MVEL is an expression language based on Java-syntax,
which offers many features
including invocation of methods available in the JVM.
If a MVEL expression is built using attacker-controlled data,
and then evaluated, then it may allow attackers to run arbitrary code.
</p>
</overview>
<recommendation>
<p>
Including user input in a MVEL expression should be avoided.
</p>
</recommendation>
<example>
<p>
In the following sample, the first example uses untrusted data to build a MVEL expression
and then runs it in the default context. In the second example, the untrusted data is
validated with a custom method that checks that the expression does not contain unexpected code
before evaluating it.
</p>
<sample src="MvelExpressionEvaluation.java" />
</example>
<references>
<li>
MVEL Documentation:
<a href="http://mvel.documentnode.com/">Language Guide for 2.0</a>.
</li>
<li>
OWASP:
<a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>.
</li>
</references>
</qhelp>