Java Spring Eval Untrusted Input
Description
Detects potentially dangerous use of Java Script Engine eval() functionality with untrusted input. This creates a risk of code injection when user-controlled data is evaluated as code without proper validation, allowing attackers to execute arbitrary Java code.
Detection Strategy
• Check if code imports javax.script.ScriptEngine or javax.script packages
• Look for eval() method calls that accept parameters
• Determine if the input parameters to eval() come from untrusted sources like user input
• Report a vulnerability if eval() is called with data that hasn't been properly validated or sanitized
Vulnerable code example
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
public class CodeInjectionExample {
public void processUserInput(String userInput) {
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("JavaScript");
...✅ Secure code example
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.SimpleScriptContext;
import javax.script.ScriptContext;
import java.util.regex.Pattern;
public class CodeInjectionExample {
// Pattern to validate allowed mathematical expressions...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.