Recipe Name:
Input Validation: Avoid Expression Language Injection: Do not evaluate expressions controlled by user input (javax)
Description:
Could lead to Expression Language Injection
Level:
error
Language:
  • java
Tags:
  • expression language
  • security
  • injection
  • OWASP Top 10
Documentation

Secure coding practices prescribe that spring expressions using dynamic values should be avoided.

Expression language is vulnerable for injection attacks. It is advised to avoid expression language evaluation where possible. If it can not be avoided, make sure to add proper Input Validation.

Recipe
id: scw:spring:el-javax
version: 10
metadata:
  name: 'Input Validation: Avoid Expression Language Injection: Do not evaluate expressions controlled by user input (javax)'
  shortDescription: Could lead to Expression Language Injection
  level: error
  language: java
  newCodeOnly: false
  scwCategory: injection:generic
  enabled: true
  descriptionFile: descriptions/EL_Injection_User_controlled_input_evaluation.html
  tags: expression language;security;injection;OWASP Top 10
search:
  methodcall:
    args:
      2:
        type: java.lang.String
        value:
          containsUntrustedInput: true
    name: createValueExpression
    declaration:
      type: javax.el.ExpressionFactory
availableFixes: []