From 6e052fb84436c5ab3da9521ec6012f4123a6d92b Mon Sep 17 00:00:00 2001
From: Wilian Gabriel <wilian.silva@zup.com.br>
Date: Thu, 17 Mar 2022 10:16:42 -0300
Subject: [PATCH] java:feature - Add Rule for CVE-2022-21724 (#1033)

This Commit refer the issue #995

Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br>
(cherry picked from commit 5efcc7ae1583ffe0bd3767608c0225bcf1237b62)
---
 .../services/engines/java/rule_manager.go     |   1 +
 internal/services/engines/java/rules.go       |  20 ++
 internal/services/engines/java/rules_test.go  | 110 ++++++++
 internal/services/engines/java/sample_test.go | 260 ++++++++++++++++++
 internal/services/engines/rules_test.go       |   2 +-
 5 files changed, 392 insertions(+), 1 deletion(-)

diff --git a/internal/services/engines/java/rule_manager.go b/internal/services/engines/java/rule_manager.go
index 5f845542a..6c95fcd4d 100644
--- a/internal/services/engines/java/rule_manager.go
+++ b/internal/services/engines/java/rule_manager.go
@@ -187,6 +187,7 @@ func Rules() []engine.Rule {
 		NewLDAPDeserializationNotDisabled(),
 		NewDatabasesPasswordNotProtected(),
 		NewVulnerableRemoteCodeInjectionApacheLog4j(),
+		NewUncheckedClassInstatiation(),
 	}
 	return append(java, jvm.Rules()...)
 }
diff --git a/internal/services/engines/java/rules.go b/internal/services/engines/java/rules.go
index 8973642b2..4814df5b2 100644
--- a/internal/services/engines/java/rules.go
+++ b/internal/services/engines/java/rules.go
@@ -2614,3 +2614,23 @@ func NewVulnerableRemoteCodeInjectionApacheLog4j() *text.Rule {
 		},
 	}
 }
+
+func NewUncheckedClassInstatiation() *text.Rule {
+	return &text.Rule{
+		Metadata: engine.Metadata{
+			ID:          "HS-JAVA-151",
+			Name:        "Unchecked Class Instantiation when providing Plugin Classes",
+			Description: `CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. The first impacted version is REL9.4.1208 (it introduced socketFactory connection property) until 42.3.1. Please update to fixed versions ^42.2.25 or ^42.3.2. For more information checkout the CVE-2022-21724 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724) advisory.`,
+			Severity:    severities.High.ToString(),
+			Confidence:  confidence.Low.ToString(),
+		},
+		Type: text.OrMatch,
+		Expressions: []*regexp.Regexp{
+			regexp.MustCompile(`compile.*group:.*org\.postgresql.*name:.*postgresql.*version:.*(('|")(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*)))('|"))`),
+			regexp.MustCompile(`compile.*postgresql.*(:postgresql:\s*(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*)))).*('|")`),
+			regexp.MustCompile(`<groupId>\s*org\.postgresql\s*</groupId>\s*<artifactId>.*\s*postgresql.*\s*</artifactId>\s*(<version>\s*(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*))))\s*</version>`),
+			regexp.MustCompile(`<dependency.*org.*org\.postgresql.*name.*postgresql.*rev\s*=\s*['|"]\s*(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*)))\s*['|"]\s*/>`),
+			regexp.MustCompile(`<(postgre|postgres|postgresql)\.version>\s*(([1-3]?[0-9]?)\..*\..*|(4[0-2]\.(([0-2]\.(([0-9])|([0-1][0-9].*)|(2[0-4])))|(3\.[0-1]).*))).*</(postgre|postgres|postgresql)\.version>`),
+		},
+	}
+}
diff --git a/internal/services/engines/java/rules_test.go b/internal/services/engines/java/rules_test.go
index 4bda232ef..afcc2f465 100644
--- a/internal/services/engines/java/rules_test.go
+++ b/internal/services/engines/java/rules_test.go
@@ -643,6 +643,86 @@ func TestRulesVulnerableCode(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      SampleMavenVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<groupId>org.postgresql</groupId>",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+						Line:     10,
+						Column:   12,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample2GradleVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.2", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "compile group: 'org.postgresql', name: 'postgresql', version: '42.3.0'",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.2", ".test")),
+						Line:     15,
+						Column:   4,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample3GradleVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.3", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "compile 'org.postgresql:postgresql:40.1.1'",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.3", ".test")),
+						Line:     22,
+						Column:   4,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample4IvyVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.4", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<dependency org=\"org.postgresql\" name=\"postgresql\" rev=\"42.2.2\" />",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.4", ".test")),
+						Line:     14,
+						Column:   4,
+					},
+				},
+			},
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample5MavenVulnerableHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.5", ".test")),
+			Findings: []engine.Finding{
+				{
+					CodeSample: "<postgresql.version>42.3.1</postgresql.version>",
+					SourceLocation: engine.Location{
+						Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151.5", ".test")),
+						Line:     16,
+						Column:   8,
+					},
+				},
+			},
+		},
 	}
 
 	testutil.TestVulnerableCode(t, testcases)
@@ -897,6 +977,36 @@ func TestRulesSafeCode(t *testing.T) {
 			Src:      Sample5MavenSafeHSJAVA150,
 			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-150", ".test")),
 		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      SampleMavenSafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample2GradleSafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample3GradleSafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample4IvySafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
+		{
+			Name:     "HS-JAVA-151",
+			Rule:     NewUncheckedClassInstatiation(),
+			Src:      Sample5MavenSafeHSJAVA151,
+			Filename: filepath.Join(tempDir, fmt.Sprintf("%s%s", "HS-JAVA-151", ".test")),
+		},
 	}
 	testutil.TestSafeCode(t, testcases)
 }
diff --git a/internal/services/engines/java/sample_test.go b/internal/services/engines/java/sample_test.go
index d220ed2c0..2b6005ab3 100644
--- a/internal/services/engines/java/sample_test.go
+++ b/internal/services/engines/java/sample_test.go
@@ -1184,5 +1184,265 @@ test {
         </dependency>
     </dependencies>
 </project>
+`
+
+	SampleMavenVulnerableHSJAVA151 = `
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>PostgresUncheckedClassExample</groupId>
+    <artifactId>PostgresUncheckedClassExample</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <dependencies>
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>42.1.0</version>
+        </dependency>
+    </dependencies>
+</project>
+`
+
+	SampleMavenSafeHSJAVA151 = `
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>PostgresUncheckedClassExample</groupId>
+    <artifactId>PostgresUncheckedClassExample</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <dependencies>
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>42.2.25</version>
+        </dependency>
+    </dependencies>
+</project>
+`
+
+	Sample2GradleVulnerableHSJAVA151 = `
+group 'com.lamarjs'
+version '1.0-SNAPSHOT'
+
+apply plugin: 'java'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+
+    compile group: 'org.postgresql', name: 'postgresql', version: '42.3.0'
+
+    testCompile group: 'junit', name: 'junit', version: '4.12'
+}
+
+`
+
+	Sample2GradleSafeHSJAVA151 = `
+group 'com.lamarjs'
+version '1.0-SNAPSHOT'
+
+apply plugin: 'java'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+
+    compile group: 'org.postgresql', name: 'postgresql', version: '42.3.2'
+
+    testCompile group: 'junit', name: 'junit', version: '4.12'
+}
+`
+
+	Sample3GradleVulnerableHSJAVA151 = `
+plugins {
+    id 'java'
+}
+
+group 'com.epam.rp'
+version '1.0-SNAPSHOT'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+
+    compile 'org.seleniumhq.selenium:selenium-server:3.141.59'
+
+    compile 'org.testng:testng:6.13.1'
+    compile 'com.epam.reportportal:agent-java-testng:4.2.3'
+    
+    compile 'org.postgresql:postgresql:40.1.1'
+}
+
+
+test { 
+    useTestNG() {
+        useDefaultListeners = true
+        suites 'suites/amazon_test.xml'
+    }
+}
+`
+
+	Sample3GradleSafeHSJAVA151 = `
+plugins {
+    id 'java'
+}
+
+group 'com.epam.rp'
+version '1.0-SNAPSHOT'
+
+sourceCompatibility = 1.8
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+
+    compile 'org.seleniumhq.selenium:selenium-server:3.141.59'
+
+    compile 'org.testng:testng:6.13.1'
+    compile 'com.epam.reportportal:agent-java-testng:4.2.3'
+    
+    
+    compile 'org.postgresql:postgresql:42.3.2'
+}
+
+
+test { 
+    useTestNG() { 
+        useDefaultListeners = true
+        suites 'suites/amazon_test.xml
+    }
+}
+`
+
+	Sample4IvyVulnerableHSJAVA151 = `
+<ivy-module version="2.0">
+  <info organisation="uk.co.worldsofwar" module="sipsoc"/>
+  <dependencies>
+    <dependency org="org.eclipse.jetty" name="jetty-http" rev="9.4.9.v20180320"/>
+    <dependency org="org.eclipse.jetty" name="jetty-annotations" rev="9.4.9.v20180320" />
+    <dependency org="org.eclipse.jetty" name="jetty-webapp" rev="9.4.9.v20180320" />
+    <dependency org="org.freemarker" name="freemarker" rev="2.3.28" />
+    <dependency org="org.glassfish.jersey.core" name="jersey-server" rev="2.27" />
+    <dependency org="org.glassfish.jersey.containers" name="jersey-container-servlet" rev="2.27" />
+    <dependency org="org.glassfish.jersey.media" name="jersey-media-json-jackson" rev="2.27" />
+    <dependency org="com.auth0" name="java-jwt" rev="3.3.0" />
+    <dependency org="com.zaxxer" name="HikariCP" rev="3.1.0" />
+    <dependency org="org.postgresql" name="postgresql" rev="42.2.2" />
+
+
+
+    <exclude org="*" ext="*" type="source" />
+    <exclude org="*" ext="*" type="javadoc" />
+    <exclude org="*" ext="*" type="tests" />
+
+  </dependencies>
+</ivy-module>
+`
+
+	Sample4IvySafeHSJAVA151 = `
+<ivy-module version="2.0">
+  <info organisation="uk.co.worldsofwar" module="sipsoc"/>
+  <dependencies>
+    <dependency org="org.eclipse.jetty" name="jetty-http" rev="9.4.9.v20180320"/>
+    <dependency org="org.eclipse.jetty" name="jetty-annotations" rev="9.4.9.v20180320" />
+    <dependency org="org.eclipse.jetty" name="jetty-webapp" rev="9.4.9.v20180320" />
+    <dependency org="org.freemarker" name="freemarker" rev="2.3.28" />
+    <dependency org="org.glassfish.jersey.core" name="jersey-server" rev="2.27" />
+    <dependency org="org.glassfish.jersey.containers" name="jersey-container-servlet" rev="2.27" />
+    <dependency org="org.glassfish.jersey.media" name="jersey-media-json-jackson" rev="2.27" />
+    <dependency org="com.auth0" name="java-jwt" rev="3.3.0" />
+    <dependency org="com.zaxxer" name="HikariCP" rev="3.1.0" />
+    <dependency org="org.postgresql" name="postgresql" rev="42.2.25" />
+
+
+
+    <exclude org="*" ext="*" type="source" />
+    <exclude org="*" ext="*" type="javadoc" />
+    <exclude org="*" ext="*" type="tests" />
+
+  </dependencies>
+</ivy-module>
+`
+
+	Sample5MavenVulnerableHSJAVA151 = `
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example.postgresql</groupId>
+    <artifactId>postgresql-examples</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <name>postgresql-examples</name>
+    <url>http://maven.apache.org</url>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <postgresql.version>42.3.1</postgresql.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>${postgresql.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>3.8.1</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>
+`
+
+	Sample5MavenSafeHSJAVA151 = `
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.example.postgresql</groupId>
+    <artifactId>postgresql-examples</artifactId>
+    <version>1.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <name>postgresql-examples</name>
+    <url>http://maven.apache.org</url>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <postgresql.version>42.3.2</postgresql.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.postgresql</groupId>
+            <artifactId>postgresql</artifactId>
+            <version>${postgresql.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>3.8.1</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>
 `
 )
diff --git a/internal/services/engines/rules_test.go b/internal/services/engines/rules_test.go
index 6ed4fd941..7f3c2341d 100644
--- a/internal/services/engines/rules_test.go
+++ b/internal/services/engines/rules_test.go
@@ -67,7 +67,7 @@ func TestGetRules(t *testing.T) {
 		{
 			engine:             "Java",
 			manager:            java.NewRules(),
-			expectedTotalRules: 181,
+			expectedTotalRules: 182,
 		},
 		{
 			engine:             "Dart",