[Java] JShell Injection

[haby0]

Query

Link to pull request with your CodeQL query:

Relevant PR: github/codeql#5955

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

The Java Shell tool (JShell) is an interactive tool for learning the Java programming language and prototyping Java code. JShell is a Read-Evaluate-Print Loop (REPL), which evaluates declarations, statements, and expressions as they are entered and immediately shows the results. If an expression is built using attacker-controlled data and then evaluated, it may allow the attacker to run arbitrary code.

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

deepjavalibrary/djl-demo: source -> sink

[intrigus-lgtm]

Can you provide one result that is found by your query?

[haby0]

Can you provide one result that is found by your query?

https://github.com/deepjavalibrary/djl-demo

[haby0]

Can you provide one result that is found by your query?

You are securitylab team do?

[intrigus-lgtm]

Can you provide one result that is found by your query?

You are securitylab team do?

No, I'm not affiliated with the securitylab.

[haby0]

Can you provide one result that is found by your query?

You are securitylab team do?

No, I'm not affiliated with the securitylab.

Oh oh, I thought you were from securitylab.
You can take a look at this repository.
source -> sink

[antonio-morales]

Hi @haby0 !!

I need a more detailed description of this vulnerability in order to meet the submission criteria

[haby0]

Hi @haby0 !!

I need a more detailed description of this vulnerability in order to meet the submission criteria

@antonio-morales Please review again, thank you!!

[anticomputer]

@haby0 hello, I am currently on call for bounty review, thank you for updating the description. I am evaluating relevant scope, were you able to determine use of JShell in any contexts beyond the provided demo example?

[haby0]

@anticomputer Thank you for your review, you can take a look at these:

https://github.com/SpencerPark/IJava/blob/a03ad7712a5e8c893bbffc527efd66ae9aae0207/src/main/java/io/github/spencerpark/ijava/execution/CodeEvaluator.java#L76

https://github.com/runelite/runelite/blob/master/runelite-jshell/src/main/java/net/runelite/jshell/ShellPanel.java#L314

https://github.com/kawasima/enkan/blob/06a28bc9952e902b3d0478192592576b6b129d1e/enkan-repl-jshell/src/main/java/enkan/system/repl/JShellRepl.java#L42

[anticomputer]

Thank you for providing additional examples @haby0, I'll move this forward in the evaluation process accordingly.

[ghsecuritylab]

Your submission is now in status FP Check.

For information, the evaluation workflow is the following:
SecLab review > FP Check > CodeQL review > SecLab finalize > Pay > Closed

[haby0]

Thank you for providing additional examples @haby0, I'll move this forward in the evaluation process accordingly.

Thank you.

[ghsecuritylab]

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed