rspec/rules/S6547/java/rule.adoc

== Why is this an issue?

Environment variable tampering occurs in a web application when it retrieves
data like parameters or headers from an incoming HTTP request and uses it to define
the variables.

Depending on the controlled variable, an attacker could
man-in-the-middle network requests or, in rare cases, achieve code execution.


=== What is the potential impact?

An attacker defines sensitive environment variables and can reach
non-intended features or influence application execution flow. These environment
variables could be system defined or application-specific. 

Examples of CVEs that resulted from this vulnerability were CVE-2017-17562 and
CVE-2022-43781.

Below are some real-world scenarios that illustrate some impacts of an
attacker exploiting the vulnerability.

==== LD_PRELOAD: Hijacking library functions

An attacker can upload a shared object to the web server and defines the
LD_PRELOAD environment variable to ensure the shared object is loaded when an arbitrary
executable is run. In this malicious shared object, the attacker would overwrite a used
function in the arbitrary executable and achieve code execution.

==== HTTP_PROXY: Man-in-the-middle newtork requests

The web application runs an executable that respects the HTTP_PROXY
environment variable. An attacker manipulates it to point to a reverse proxy controlled by
him and thus can sniff any sensitive data shared in web requests.


// How to fix it section

include::how-to-fix-it/java-se.adoc[]

== Resources

include::../common/resources/standards.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Change this code to prevent users from defining arbitrary environment variables.


=== Highlighting

Highlight `String[] envp` the 2nd positional argument of
`java.lang.Runtime#exec` calls.


'''
'''
endif::env-github,rspecator-view[]
Create rule S6547: Environment variables should not be defined from untrusted input (APPSEC-541) (#1685) Implementation ticket: [SONARSEC-3702](https://sonarsource.atlassian.net/browse/SONARSEC-3702) Specification ticket: [APPSEC-541](https://sonarsource.atlassian.net/browse/APPSEC-541) 2023-04-26 17:32:09 +02:00			`== Why is this an issue?`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Environment variable tampering occurs in a web application when it retrieves`
			`data like parameters or headers from an incoming HTTP request and uses it to define`
			`the variables.`

			`Depending on the controlled variable, an attacker could`
			`man-in-the-middle network requests or, in rare cases, achieve code execution.`


			`=== What is the potential impact?`

			`An attacker defines sensitive environment variables and can reach`
			`non-intended features or influence application execution flow. These environment`
			`variables could be system defined or application-specific.`

			`Examples of CVEs that resulted from this vulnerability were CVE-2017-17562 and`
			`CVE-2022-43781.`

			`Below are some real-world scenarios that illustrate some impacts of an`
			`attacker exploiting the vulnerability.`

			`==== LD_PRELOAD: Hijacking library functions`

			`An attacker can upload a shared object to the web server and defines the`
			`LD_PRELOAD environment variable to ensure the shared object is loaded when an arbitrary`
			`executable is run. In this malicious shared object, the attacker would overwrite a used`
			`function in the arbitrary executable and achieve code execution.`

			`==== HTTP_PROXY: Man-in-the-middle newtork requests`

			`The web application runs an executable that respects the HTTP_PROXY`
			`environment variable. An attacker manipulates it to point to a reverse proxy controlled by`
			`him and thus can sniff any sensitive data shared in web requests.`
Create rule S6547: Environment variables should not be defined from untrusted input (APPSEC-541) (#1685) Implementation ticket: [SONARSEC-3702](https://sonarsource.atlassian.net/browse/SONARSEC-3702) Specification ticket: [APPSEC-541](https://sonarsource.atlassian.net/browse/APPSEC-541) 2023-04-26 17:32:09 +02:00

			`// How to fix it section`

			`include::how-to-fix-it/java-se.adoc[]`

			`== Resources`

			`include::../common/resources/standards.adoc[]`

			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Change this code to prevent users from defining arbitrary environment variables.`


			`=== Highlighting`

			Highlight `String[] envp` the 2nd positional argument of
			`java.lang.Runtime#exec` calls.
Create rule S6547: Environment variables should not be defined from untrusted input (APPSEC-541) (#1685) Implementation ticket: [SONARSEC-3702](https://sonarsource.atlassian.net/browse/SONARSEC-3702) Specification ticket: [APPSEC-541](https://sonarsource.atlassian.net/browse/APPSEC-541) 2023-04-26 17:32:09 +02:00

			`'''`
			`'''`
			`endif::env-github,rspecator-view[]`