CVE-2022-22965/spring-rce.ql

@@ -17,60 +17,38 @@
 import java
 import semmle.code.java.frameworks.spring.SpringController
 
-predicate vulnVersions(JarFile file) {
-    exists(int index, int match |
-      match = file.getImplementationVersion().splitAt(".", index).toInt() |
-      // Spring4Shell vulnerability is not exploitable in certain Spring versions 5.2.20 and 5.3.18
-      not (
-        // Check first index of the file name as 5
-        index = 0 and match = 5 and index = 1 and
-        (
-        // Check second index of the file name as 2 or 3
-        // and check the third index of the file name as 20 or 18
-          (match = 2 and index = 2 and match >= 20) or
-          (match = 3 and index = 2 and match >= 18)
-        )
-      )
-    )
-}
-
-predicate starterVulnVersions(JarFile file) {
-    exists(int index, int match |
-      match = file.getImplementationVersion().splitAt(".", index).toInt() |
-      // Spring4Shell vulnerability is not exploitable in certain Spring Starter versions 2.5.12 and 2.6.6 
-      not (
-        // Check first index of the file name as 2
-        index = 0 and match = 2 and index = 1 and
-        (
-        // Check second index of the file name as 5 or 6
-        // and check the third index of the file name as 12 or 6
-          (match = 5 and index = 2 and match >= 12) or
-          (match = 6 and index = 2 and match >= 6)
-        )
-      )
-    )
+/**
+ * Holds if `fileVersion` is equal or higher (only last digit) than `packageVersion`.
+ */
+bindingset[fileVersion, packageVersion]
+predicate hasLowerVersion(string fileVersion, string packageVersion) {
+  exists(int index, int fileMatch, int packageMatch |
+    fileMatch = fileVersion.splitAt(".", index).toInt() and
+    packageMatch = packageVersion.splitAt(".", index).toInt()
+  |
+    not (index in [0 .. 1] and fileMatch = packageMatch and index = 2 and fileMatch >= packageMatch)
+  )
 }
 
 // Inspired by Paulino Calderon's Log4J CodeQL Query
 // https://github.com/cldrn/codeql-queries/blob/master/log4j-injection.ql
 predicate vulnSpringJarFile(JarFile file) {
-    ( vulnVersions(file) and 
-        (
-            file.getBaseName().matches("%spring-beans%") or
-            file.getBaseName().matches("%spring-core%") or
-            file.getBaseName().matches("%spring-webflux%") or
-            file.getBaseName().matches("%spring-webmvc%")
-        )
-    ) 
-    or 
-    ( starterVulnVersions(file) and 
-        (
-            file.getBaseName().matches("%spring-boot-starter-web%")
-        )
-    )
+  exists(string package, string version |
+    file.getBaseName().matches("%" + package + "%") and
+    hasLowerVersion(file.getImplementationVersion(), version)
+  |
+    version in ["5.2.20", "5.3.18"] and
+    package in ["spring-beans", "spring-core", "spring-webflux", "spring-webmvc"]
+    or
+    version in ["2.5.12", "2.6.6"] and package = "spring-boot-starter-web"
+  )
 }
 
-from SpringRequestMappingMethod m
-where 
-    (m.getAParameter().getType() instanceof SpringUntrustedDataType) and vulnSpringJarFile(_)
-select m, "Vulnerable use of Spring versions for CVE-2022-22965; Check if Java version >= 9 to confirm exploitability."
+from SpringRequestMappingMethod m, Annotation a
+where
+  vulnSpringJarFile(_) and
+  m.getAParameter().getType() instanceof SpringUntrustedDataType and
+  m.getAnAnnotation() = a and
+  a.getType() instanceof SpringRequestMappingAnnotationType
+select m, a.getValue("value"),
+  "Vulnerable use of Spring versions for CVE-2022-22965; Check if Java version >= 9 to confirm exploitability."