forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathEjbContainerInterference.ql
More file actions
37 lines (33 loc) · 1.56 KB
/
EjbContainerInterference.ql
File metadata and controls
37 lines (33 loc) · 1.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
/**
* @name EJB interferes with container operation
* @description An EJB should not attempt to create a class loader,
* obtain the current class loader, set the context class loader,
* set a security manager, create a new security manager,
* stop the JVM, or change the input, output or error streams.
* Such operations could interfere with the EJB container's operation.
* @kind problem
* @problem.severity error
* @precision low
* @id java/ejb/container-interference
* @tags reliability
* external/cwe/cwe-578
* external/cwe/cwe-382
*/
import java
import semmle.code.java.frameworks.javaee.ejb.EJB
import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
/*
JSR 220: Enterprise JavaBeansTM,Version 3.0
EJB Core Contracts and Requirements
Section 21.1.2 Programming Restrictions
- The enterprise bean must not attempt to create a class loader; obtain the current class loader;
set the context class loader; set security manager; create a new security manager; stop the
JVM; or change the input, output, and error streams.
These functions are reserved for the EJB container. Allowing the enterprise bean to use these functions
could compromise security and decrease the container's ability to properly manage the runtime envi-
ronment.
*/
from Callable origin, ForbiddenContainerInterferenceCallable target, Call call
where ejbCalls(origin, target, call)
select origin, "EJB should not interfere with its container's operation by calling $@.",
call, target.getDeclaringType().getName() + "." + target.getName()