Input Validation: Avoid Expression Language Injection: Do not evaluate expressions controlled by user input (javax) :: Recipe Details

Recipe Name:

Input Validation: Avoid Expression Language Injection: Do not evaluate expressions controlled by user input (javax)

Description:

Could lead to Expression Language Injection

Level:

error

Language:

java

Tags:

expression language
security
injection
OWASP Top 10

Documentation

Secure coding practices prescribe that spring expressions using dynamic values should be avoided.

Expression language is vulnerable for injection attacks. It is advised to avoid expression language evaluation where possible. If it can not be avoided, make sure to add proper Input Validation.

Recipe

id: scw:spring:el-javax
version: 10
metadata:
  name: 'Input Validation: Avoid Expression Language Injection: Do not evaluate expressions controlled by user input (javax)'
  shortDescription: Could lead to Expression Language Injection
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:generic
  enabled: true
  descriptionFile: descriptions/EL_Injection_User_controlled_input_evaluation.html
  tags: expression language;security;injection;OWASP Top 10
search:
  methodcall:
    args:
      2:
        type: java.lang.String
        value:
          containsUntrustedInput: true
    name: createValueExpression
    declaration:
      type: javax.el.ExpressionFactory
availableFixes: []