Recently I wrote a post about detecting JEXL injections with CodeQL. JEXL is a library that provides an interpreter for a simple expression language (EL). This time, I’ll talk about injections with Jakarta Expression Language, and how they can be found with CodeQL.
Recently WhiteSource security scanner started reporting WS-2016-7107 against Spring-based applications. This is an old issue in Spring Security that was reported in 2016. Unfortunately, at the moment of writing it, the issue has not been fixed yet. But there is a pull request that should address it. The problem is that CSRF tokens generated by Spring Security are vulnerable to the BREACH attack. The attack is even older — it was published in 2013. The BREACH attack is similar to the CRIME attack but BREACH doesn’t need TLS compression.
(you can also read it on Medium)
In this blog post, I’ll talk about detecting unsafe Spring Exporters with a CodeQL query. First, I’ll describe the issue that received CVE-2016-1000027. Next, I’ll show what a vulnerable code looks like and how the issue can be mitigated in an application. Then, I’ll describe how the CodeQL query works. In addition, I’ll show a couple of vulnerabilities that have been found by the query.
(you can also read it on Medium)
I recently wrote a blog post about a project I have been working on at SAP for a year. The project is called Fosstars. It is an open-source Java-based framework for defining ratings that help to assess security, activity and other properties of open source projects. Currently, Fosstars offers a comprehensive security rating that helps to identify open source components that can be a security risk for an application. The blog post describes how Fosstars work:
https://blogs.sap.com/2021/02/09/fosstars-a-framework-for-defining-ratings-for-open-source-projects/
I am planning to write a few more articles. One is going to talk about the security rating in detail, and another one is going to be about calculating security ratings with Fosstars and GitHub actions.
In this post, I’ll talk about a CodeQL query for detecting JEXL Expression Language injection vulnerabilities. First, I’ll give a brief overview of expression languages in general and JEXL in particular. Next, I’ll explain what Expression Language injection is and how to prevent it. Then, I’ll describe how the CodeQL query works. In addition, I’ll show a couple of vulnerabilities that have been found by the query.
(you can also read it on Medium)
A photoresistor or a light-dependent resistor (LDR) is a resistor that changes its value (resistance) depending on light intensity. More precisely, when light falls upon it, the resistance decreases. It is normally used as a light or dark detector. For example, it may be used in a circuit that turns lights in a room on when it gets dark. Let’s see how we use a photoresistor with ESP32 and MicroPython.
In the previous posts, I described a simple weather station that measures temperature and humidity and sends the measurements to a Google sheet. The system is supposed to be used at home. Therefore, one of the next possible improvements can be measuring air quality in a room. That can be done, for example, by adding an MH-Z19B sensor for measuring CO2 level. We’ll use again a ESP32 board and MicroPython.
Java 14 is going to be released on March 17, 2020. The new version of Java contains one major update to the Java language: new switch expressions. Let’s see how the new switch expressions can be used, what kind of advantages they offer, and what can potentially go wrong. In the end, you are going to find a tricky question about the switch expressions.
(the article has been published on Medium)
Java 14 is going to be released on Mar 17th, 2020. Besides ~2400 bug fixes and small enhancements, the new version of Java contains 16 major enhancements which are also called JEPs (Java Enhancement Proposals).
Let’s take a closer look at the major updates in Java 14: new switch expressions, better NullPointerExceptions, improvements in garbage collection, JFR event streaming and more.
(the article has been published on Medium)
Some time ago I wrote about unsafe deserialization and DoS vulnerabilities I’ve discovered in Apache Olingo. This post describes one more issue in the library. This time, it’s a little flaw in the Olingo client which may allow sending some HTTP requests to arbitrary URLs. The issue has been fixed in the 4.7.1 release.
In case you don’t know, Apache Olingo is a Java library that implements the Open Data Protocol (OData). This protocol allows the creation and consumption of queryable and interoperable RESTful APIs in a simple way.
