forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathEjbReflection.ql
More file actions
32 lines (28 loc) · 1.31 KB
/
EjbReflection.ql
File metadata and controls
32 lines (28 loc) · 1.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
/**
* @name EJB uses reflection
* @description An EJB should not attempt to use the Reflection API,
* as this could compromise security.
* @kind problem
* @problem.severity error
* @precision low
* @id java/ejb/reflection
* @tags external/cwe/cwe-573
*/
import java
import semmle.code.java.frameworks.javaee.ejb.EJB
import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
/*
JSR 220: Enterprise JavaBeansTM,Version 3.0
EJB Core Contracts and Requirements
Section 21.1.2 Programming Restrictions
- The enterprise bean must not attempt to query a class to obtain information about the declared
members that are not otherwise accessible to the enterprise bean because of the security rules
of the Java language. The enterprise bean must not attempt to use the Reflection API to access
information that the security rules of the Java programming language make unavailable.
Allowing the enterprise bean to access information about other classes and to access the classes in a
manner that is normally disallowed by the Java programming language could compromise security.
*/
from Callable origin, ForbiddenReflectionCallable target, Call call
where ejbCalls(origin, target, call)
select origin, "EJB should not use reflection by calling $@.",
call, target.getDeclaringType().getName() + "." + target.getName()