Kotlin Code Injection User Input
Description
Detects Kotlin code injection vulnerabilities where untrusted input is passed to script evaluation functions. This occurs when user-controlled data is executed as Kotlin code through the eval() function, which could allow attackers to run arbitrary code on the system.
Detection Strategy
• Check if any imports from javax.script package are present in the code
• Look for method calls ending with .eval function
• Verify the first argument passed to eval() comes from an untrusted source like user input
• Ensure the input parameter is not properly sanitized before being used in eval()
• Report a vulnerability if all above conditions are met, as this represents potential code injection
Vulnerable code example
import javax.script.ScriptEngineManager
fun main() {
val scriptEngine = ScriptEngineManager().getEngineByName("nashorn")
// VULNERABLE: User input is directly executed by the script engine
val userScript = getUserInput() // Simulated untrusted input source
...✅ Secure code example
import javax.script.ScriptEngineManager
fun main() {
val scriptEngine = ScriptEngineManager().getEngineByName("nashorn")
// SECURE: Define a static script template that processes data safely
val safeScriptTemplate = "'Processing input: ' + userValue"
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.