├── CVE-2022-22965 └── spring-rce.ql ├── LICENSE └── README.md /CVE-2022-22965/spring-rce.ql: -------------------------------------------------------------------------------- 1 | /** 2 | * @name Spring Remote Code Execution (Spring4Shell) 3 | * @description Detects Spring calls that pass unsafe Plain-Old-Java-Objects (POJOs) in vulnerable versions 4 | * @problem.severity error 5 | * @precision high 6 | * @id java/spring-remote-code-execution 7 | * @tags security 8 | * external/cwe/cwe-94 9 | * CVE-2022-22965 10 | * 11 | * Lead Author: Alvaro Munoz (@pwntester) 12 | * Co-Author: Jorge (@jorgectf) 13 | * Co-Author: Keith Hoodlet (@securingdev) 14 | * 15 | */ 16 | 17 | import java 18 | import semmle.code.java.frameworks.spring.SpringController 19 | 20 | /** 21 | * Holds if `fileVersion` is equal or higher (only last digit) than `packageVersion`. 22 | */ 23 | bindingset[fileVersion, packageVersion] 24 | predicate hasLowerVersion(string fileVersion, string packageVersion) { 25 | exists(int index, int fileMatch, int packageMatch | 26 | fileMatch = fileVersion.splitAt(".", index).toInt() and 27 | packageMatch = packageVersion.splitAt(".", index).toInt() 28 | | 29 | not (index in [0 .. 1] and fileMatch = packageMatch and index = 2 and fileMatch >= packageMatch) 30 | ) 31 | } 32 | 33 | // Inspired by Paulino Calderon's Log4J CodeQL Query 34 | // https://github.com/cldrn/codeql-queries/blob/master/log4j-injection.ql 35 | predicate vulnSpringJarFile(JarFile file) { 36 | exists(string package, string version | 37 | file.getBaseName().matches("%" + package + "%") and 38 | hasLowerVersion(file.getImplementationVersion(), version) 39 | | 40 | version in ["5.2.20", "5.3.18"] and 41 | package in ["spring-beans", "spring-core", "spring-webflux", "spring-webmvc"] 42 | or 43 | version in ["2.5.12", "2.6.6"] and package = "spring-boot-starter-web" 44 | ) 45 | } 46 | 47 | from SpringRequestMappingMethod m, Annotation a 48 | where 49 | vulnSpringJarFile(_) and 50 | m.getAParameter().getType() instanceof SpringUntrustedDataType and 51 | m.getAnAnnotation() = a and 52 | a.getType() instanceof SpringRequestMappingAnnotationType 53 | select m, a.getValue("value"), 54 | "Vulnerable use of Spring versions for CVE-2022-22965; Check if Java version >= 9 to confirm exploitability." 55 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Keith Hoodlet 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # codeql 2 | Custom / Experimental CodeQL queries 3 | --------------------------------------------------------------------------------