CodeQL documentation
CodeQL resources

Expression language injection (MVEL)

ID: java/mvel-expression-injection Kind: path-problem Security severity: 9.3 Severity: error Precision: high Tags: - security - external/cwe/cwe-094 Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls

Click to see the query in the CodeQL repository

MVEL is an expression language based on Java-syntax, which offers many features including invocation of methods available in the JVM. If a MVEL expression is built using attacker-controlled data, and then evaluated, then it may allow attackers to run arbitrary code.

Recommendation

Including user input in a MVEL expression should be avoided.

Example

In the following sample, the first example uses untrusted data to build a MVEL expression and then runs it in the default context. In the second example, the untrusted data is validated with a custom method that checks that the expression does not contain unexpected code before evaluating it.

public void evaluate(Socket socket) throws IOException {  try (BufferedReader reader = new BufferedReader(  new InputStreamReader(socket.getInputStream()))) {    String expression = reader.readLine();  // BAD: the user-provided expression is directly evaluated  MVEL.eval(expression);  } } public void safeEvaluate(Socket socket) throws IOException {  try (BufferedReader reader = new BufferedReader(  new InputStreamReader(socket.getInputStream()))) {    String expression = reader.readLine();  // GOOD: the user-provided expression is validated before evaluation  validateExpression(expression);  MVEL.eval(expression);  } } private void validateExpression(String expression) {  // Validate that the expression does not contain unexpected code.  // For instance, this can be done with allow-lists or deny-lists of code patterns. }

References