ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modify rule S5147: Adding a how to fix section for Spring Data Redis (APPSEC-1565) (#3870)

Browse Source
This commit is contained in:
gaetan-ferry-sonarsource 2024-04-18 16:09:08 +02:00 committed by GitHub
parent 846d6c7568
commit 173a43b3dd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/header_names/allowed_framework_names.adoc
View File

@ -28,6 +28,7 @@
* JSP * JSP
* Servlet * Servlet
* Spring * Spring
* Spring Data Redis
* Thymeleaf * Thymeleaf
* Java SE * Java SE
* Java EE * Java EE

59
rules/S5147/java/how-to-fix-it/spring-data-redis.adoc Normal file
View File

@ -0,0 +1,59 @@
== How to fix it in Spring Data Redis
=== Code examples
The following code is vulnerable to NoSQL injections because untrusted data is
concatenated to a Redis script. Such a script is used to perform advanced
queries on a Redis instance so that an injection in it might result in the
compromise of the Redis instance.
==== Noncompliant code example
[source,java,diff-id=2,diff-type=noncompliant]
----
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.data.redis.core.script.RedisScript;
@RestController
@RequestMapping(path = "/redis")
public class RedisController {
@Autowired RedisTemplate<String, Object> redisTemplate;
@GetMapping("/template/redisscript/echo/{echo}")
public String templateRedisScriptCompliant(@PathVariable String echo) {
String script = "return " + echo + ";";
Object result = redisTemplate.execute(RedisScript.of(script, Object.class), new ArrayList<String>()); // Noncompliant
return result.toString();
}
}
----
==== Compliant solution
[source,java,diff-id=2,diff-type=compliant]
----
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.data.redis.core.script.RedisScript;
@RestController
@RequestMapping(path = "/redis")
public class RedisController {
@Autowired RedisTemplate<String, Object> redisTemplate;
@GetMapping("/template/redisscript/echo/{echo}")
public String templateRedisScriptCompliant(@PathVariable String echo) {
String script = "return ARGV[1];";
Object result = redisTemplate.execute(RedisScript.of(script, Object.class), new ArrayList<String>(), echo);
return result.toString();
}
}
----
=== How does this work?
Here, the compliant solution passes the untrusted data as a parameter to the
Redis script. This ensures the data will be treated as a single value and will
not tamper with the script semantics.

2
rules/S5147/java/rule.adoc
View File

@ -6,6 +6,8 @@ include::../impact.adoc[]
include::how-to-fix-it/mongo-java-driver.adoc[] include::how-to-fix-it/mongo-java-driver.adoc[]
include::how-to-fix-it/spring-data-redis.adoc[]
== Resources == Resources
include::../common/resources/articles.adoc[] include::../common/resources/articles.adoc[]