New Rule : Seam Logger usage could lead to remote code execution

[ThrawnCA]

The Seam framework accepts expression language in its log statements, so concatenating strings to pass to the logger is a very bad idea.

https://issues.jboss.org/browse/JBSEAM-5130

Is it easy enough to add a detector for this?

[h3xstream]

You can take the Script Injection Detector as example : https://github.com/h3xstream/find-sec-bugs/tree/master/plugin/src/main/java/com/h3xstream/findsecbugs/injection/script

[h3xstream]

@ThrawnCA Do you have a reference or code sample of how expression look like?

[ThrawnCA]

I'm no expert, but there are some samples at https://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185

It looks like JBoss expression language is an extension of standard J2EE expression language (https://docs.oracle.com/javaee/6/tutorial/doc/gjddd.html). Essentially, the expressions that we'd be concerned about use #{variable.method()} syntax (it's also possible to use #0 #1 #2, but that seems harmless).

[h3xstream]

@ThrawnCA Thanks

I notice at the same time that the Interpolator class should also be flagged. Interpolator.instance().interpolate( (String) object, params );
https://github.com/seam2/jboss-seam/blob/f3077fee9d04b2b3545628cd9e6b58c859feb988/jboss-seam/src/main/java/org/jboss/seam/log/LogImpl.java#L140