From 2977e3c6a36b486f9a0cbdec6760478abaa2e715 Mon Sep 17 00:00:00 2001
From: Wilian Gabriel <wilian.silva@zup.com.br>
Date: Tue, 15 Mar 2022 10:57:45 -0300
Subject: [PATCH] java:feature - Add Rule for CVE-2022-21724

This Commit refer the issue #995

Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br>
---
 .../services/engines/java/rule_manager.go     |   1 +
 internal/services/engines/java/rules.go       |  20 ++
 internal/services/engines/java/rules_test.go  | 110 ++++++++
 internal/services/engines/java/sample_test.go | 260 ++++++++++++++++++
 internal/services/engines/rules_test.go       |   2 +-
 internal/utils/testutil/rules_test_generic.go |   3 +
 6 files changed, 395 insertions(+), 1 deletion(-)

diff --git a/internal/services/engines/java/rule_manager.go b/internal/services/engines/java/rule_manager.go
index 5f845542a..6c95fcd4d 100644
--- a/internal/services/engines/java/rule_manager.go
+++ b/internal/services/engines/java/rule_manager.go
@@ -187,6 +187,7 @@ func Rules() []engine.Rule {
 		NewLDAPDeserializationNotDisabled(),
 		NewDatabasesPasswordNotProtected(),
 		NewVulnerableRemoteCodeInjectionApacheLog4j(),
+		NewUncheckedClassInstatiation(),
 	}
 	return append(java, jvm.Rules()...)
 }
diff --git a/internal/services/engines/java/rules.go b/internal/services/engines/java/rules.go
index 8973642b2..4814df5b2 100644
--- a/internal/services/engines/java/rules.go
+++ b/internal/services/engines/java/rules.go
@@ -2614,3 +2614,23 @@ func NewVulnerableRemoteCodeInjectionApacheLog4j() *text.Rule {
 		},
 	}
 }
+
+func NewUncheckedClassInstatiation() *text.Rule {
+	return &text.Rule{
+		Metadata: engine.Metadata{
+			ID:          "HS-JAVA-151",
+			Name:        "Unchecked Class Instantiation when providing Plugin Classes",
+			Description: `CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. The first impacted version is REL9.4.1208 (it introduced socketFactory connection property) until 42.3.1. Please update to fixed versions ^42.2.25 or ^42.3.2. For more information checkout the CVE-2022-21724 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724) advisory.`,
+			Severity:    severities.High.ToString(),
+			Confidence:  confidence.Low.ToString(),
+		},
+		Type: text.OrMatch,
+		Expressions: []*regexp.Regexp{
+			regexp.MustCompile(`compile.*group:.*org\.postgresql.*name:.*postgresql.*version:.*(('|")(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*)))('|"))`),
+			regexp.MustCompile(`compile.*postgresql.*(:postgresql:\s*(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*)))).*('|")`),
+			regexp.MustCompile(`<groupId>\s*org\.postgresql\s*</groupId>\s*<artifactId>.*\s*postgresql.*\s*</artifactId>\s*(<version>\s*(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*))))\s*</version>`),
+			regexp.MustCompile(`<dependency.*org.*org\.postgresql.*name.*postgresql.*rev\s*=\s*['|"]\s*(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*)))\s*['|"]\s*/>`),
+			regexp.MustCompile(`<(postgre|postgres|postgresql)\.version>\s*(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*))).*</(postgre|postgres|postgresql)\.version>`),
+		},
+	}
+}
diff --git a/internal/services/engines/java/rules_test.go b/internal/services/engines/java/rules_test.go
index 4bda232ef..afcc2f465 100644
--- a/internal/services/engines/java/rules_test.go
+++ b/internal/services/engines/java/rules_test.go
@@ -643,6 +643,86 @@ func TestRulesVulnerableCode(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      SampleMavenVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<groupId>org.postgresql</groupId>",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+						Line:     10,
+						Column:   12,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample2GradleVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.2", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "compile group: 'org.postgresql', name: 'postgresql', version: '42.3.0'",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.2", ".test")),
+						Line:     15,
+						Column:   4,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample3GradleVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.3", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "compile 'org.postgresql:postgresql:40.1.1'",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.3", ".test")),
+						Line:     22,
+						Column:   4,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample4IvyVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.4", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<dependency org=\"org.postgresql\" name=\"postgresql\" rev=\"42.2.2\" />",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.4", ".test")),
+						Line:     14,
+						Column:   4,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample5MavenVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.5", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<postgresql.version>42.3.1</postgresql.version>",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.5", ".test")),
+						Line:     16,
+						Column:   8,
+					},
+				},
+			},
+		},
 	}
 
 	testutil.TestVulnerableCode(t, testcases)
@@ -897,6 +977,36 @@ func TestRulesSafeCode(t *testing.T) {
 			Src:      Sample5MavenSafeHSJAVA150,
 			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-150", ".test")),
 		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      SampleMavenSafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample2GradleSafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample3GradleSafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample4IvySafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample5MavenSafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
 	}
 	testutil.TestSafeCode(t, testcases)
 }
diff --git a/internal/services/engines/java/sample_test.go b/internal/services/engines/java/sample_test.go
index d220ed2c0..2b6005ab3 100644
--- a/internal/services/engines/java/sample_test.go
+++ b/internal/services/engines/java/sample_test.go
@@ -1184,5 +1184,265 @@ test {
         </dependency>
     </dependencies>
 </project>
+`
+
+	SampleMavenVulnerableHSJAVA151 = `
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>PostgresUncheckedClassExample</groupId>
+    <artifactId>PostgresUncheckedClassExample</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <dependencies>
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>42.1.0</version>
+        </dependency>
+    </dependencies>
+</project>
+`
+
+	SampleMavenSafeHSJAVA151 = `
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>PostgresUncheckedClassExample</groupId>
+    <artifactId>PostgresUncheckedClassExample</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <dependencies>
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>42.2.25</version>
+        </dependency>
+    </dependencies>
+</project>
+`
+
+	Sample2GradleVulnerableHSJAVA151 = `
+group 'com.lamarjs'
+version '1.0-SNAPSHOT'
+
+apply plugin: 'java'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+
+    compile group: 'org.postgresql', name: 'postgresql', version: '42.3.0'
+
+    testCompile group: 'junit', name: 'junit', version: '4.12'
+}
+
+`
+
+	Sample2GradleSafeHSJAVA151 = `
+group 'com.lamarjs'
+version '1.0-SNAPSHOT'
+
+apply plugin: 'java'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+
+    compile group: 'org.postgresql', name: 'postgresql', version: '42.3.2'
+
+    testCompile group: 'junit', name: 'junit', version: '4.12'
+}
+`
+
+	Sample3GradleVulnerableHSJAVA151 = `
+plugins {
+    id 'java'
+}
+
+group 'com.epam.rp'
+version '1.0-SNAPSHOT'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+
+    compile 'org.seleniumhq.selenium:selenium-server:3.141.59'
+
+    compile 'org.testng:testng:6.13.1'
+    compile 'com.epam.reportportal:agent-java-testng:4.2.3'
+    
+    compile 'org.postgresql:postgresql:40.1.1'
+}
+
+
+test { 
+    useTestNG() {
+        useDefaultListeners = true
+        suites 'suites/amazon_test.xml'
+    }
+}
+`
+
+	Sample3GradleSafeHSJAVA151 = `
+plugins {
+    id 'java'
+}
+
+group 'com.epam.rp'
+version '1.0-SNAPSHOT'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+
+    compile 'org.seleniumhq.selenium:selenium-server:3.141.59'
+
+    compile 'org.testng:testng:6.13.1'
+    compile 'com.epam.reportportal:agent-java-testng:4.2.3'
+    
+    
+    compile 'org.postgresql:postgresql:42.3.2'
+}
+
+
+test { 
+    useTestNG() { 
+        useDefaultListeners = true
+        suites 'suites/amazon_test.xml
+    }
+}
+`
+
+	Sample4IvyVulnerableHSJAVA151 = `
+<ivy-module version="2.0">
+  <info organisation="uk.co.worldsofwar" module="sipsoc"/>
+  <dependencies>
+    <dependency org="org.eclipse.jetty" name="jetty-http" rev="9.4.9.v20180320"/>
+    <dependency org="org.eclipse.jetty" name="jetty-annotations" rev="9.4.9.v20180320" />
+    <dependency org="org.eclipse.jetty" name="jetty-webapp" rev="9.4.9.v20180320" />
+    <dependency org="org.freemarker" name="freemarker" rev="2.3.28" />
+    <dependency org="org.glassfish.jersey.core" name="jersey-server" rev="2.27" />
+    <dependency org="org.glassfish.jersey.containers" name="jersey-container-servlet" rev="2.27" />
+    <dependency org="org.glassfish.jersey.media" name="jersey-media-json-jackson" rev="2.27" />
+    <dependency org="com.auth0" name="java-jwt" rev="3.3.0" />
+    <dependency org="com.zaxxer" name="HikariCP" rev="3.1.0" />
+    <dependency org="org.postgresql" name="postgresql" rev="42.2.2" />
+
+
+
+    <exclude org="*" ext="*" type="source" />
+    <exclude org="*" ext="*" type="javadoc" />
+    <exclude org="*" ext="*" type="tests" />
+
+  </dependencies>
+</ivy-module>
+`
+
+	Sample4IvySafeHSJAVA151 = `
+<ivy-module version="2.0">
+  <info organisation="uk.co.worldsofwar" module="sipsoc"/>
+  <dependencies>
+    <dependency org="org.eclipse.jetty" name="jetty-http" rev="9.4.9.v20180320"/>
+    <dependency org="org.eclipse.jetty" name="jetty-annotations" rev="9.4.9.v20180320" />
+    <dependency org="org.eclipse.jetty" name="jetty-webapp" rev="9.4.9.v20180320" />
+    <dependency org="org.freemarker" name="freemarker" rev="2.3.28" />
+    <dependency org="org.glassfish.jersey.core" name="jersey-server" rev="2.27" />
+    <dependency org="org.glassfish.jersey.containers" name="jersey-container-servlet" rev="2.27" />
+    <dependency org="org.glassfish.jersey.media" name="jersey-media-json-jackson" rev="2.27" />
+    <dependency org="com.auth0" name="java-jwt" rev="3.3.0" />
+    <dependency org="com.zaxxer" name="HikariCP" rev="3.1.0" />
+    <dependency org="org.postgresql" name="postgresql" rev="42.2.25" />
+
+
+
+    <exclude org="*" ext="*" type="source" />
+    <exclude org="*" ext="*" type="javadoc" />
+    <exclude org="*" ext="*" type="tests" />
+
+  </dependencies>
+</ivy-module>
+`
+
+	Sample5MavenVulnerableHSJAVA151 = `
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example.postgresql</groupId>
+    <artifactId>postgresql-examples</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <name>postgresql-examples</name>
+    <url>http://maven.apache.org</url>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <postgresql.version>42.3.1</postgresql.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>${postgresql.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>3.8.1</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>
+`
+
+	Sample5MavenSafeHSJAVA151 = `
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example.postgresql</groupId>
+    <artifactId>postgresql-examples</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <name>postgresql-examples</name>
+    <url>http://maven.apache.org</url>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <postgresql.version>42.3.2</postgresql.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>${postgresql.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>3.8.1</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>
 `
 )
diff --git a/internal/services/engines/rules_test.go b/internal/services/engines/rules_test.go
index 6ed4fd941..7f3c2341d 100644
--- a/internal/services/engines/rules_test.go
+++ b/internal/services/engines/rules_test.go
@@ -67,7 +67,7 @@ func TestGetRules(t *testing.T) {
 		{
 			engine:             "Java",
 			manager:            java.NewRules(),
-			expectedTotalRules: 181,
+			expectedTotalRules: 182,
 		},
 		{
 			engine:             "Dart",
diff --git a/internal/utils/testutil/rules_test_generic.go b/internal/utils/testutil/rules_test_generic.go
index 32c186e9d..f769a0af7 100644
--- a/internal/utils/testutil/rules_test_generic.go
+++ b/internal/utils/testutil/rules_test_generic.go
@@ -27,6 +27,9 @@ import (
 func TestVulnerableCode(t *testing.T, testcases []*RuleTestCase) {
 	for _, tt := range testcases {
 		t.Run(tt.Name, func(t *testing.T) {
+			if tt.Name == "HS-JAVA-151" {
+				print("iai man")
+			}
 			findings := executeRule(t, tt)
 			assert.Len(t, findings, len(tt.Findings), "Expected equal issues on vulnerable code")
 			assert.Equal(t, tt.Name, tt.Rule.ID, "Test case rule name is not match with rule id")