Skip to content

feat: update java-classes.data #4080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 9, 2025
Merged

feat: update java-classes.data #4080

merged 4 commits into from
May 9, 2025

Conversation

@Xhoenix
Copy link
Member

@Xhoenix Xhoenix commented Apr 2, 2025

  • java.io.ObjectInputStream - Used as the entry point for deserialization attacks by processing malicious object streams.
  • java.net.ServerSocket - Used to listen for incoming network connections (e.g., for C&C).
  • java.net.URL - Used to connect to URLs for downloading payloads or sending stolen data.
  • java.net.URLConnection / java.net.HttpURLConnection - Used to manage network connections initiated via URL.
  • javax.naming.InitialContext - Used in JNDI injection attacks via the lookup method to trigger remote code loading.
  • javax.xml.parsers.DocumentBuilderFactory / javax.xml.parsers.SAXParserFactory - Used in XXE attacks if XML parsing isn't securely configured.
  • java.nio.file.Files / java.nio.file.Paths - Used for modern file system manipulation (reading, writing, deleting).

@github-actions
Copy link
Contributor

github-actions bot commented Apr 2, 2025
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@S0obi
Copy link
Contributor

S0obi commented Apr 3, 2025

Hey @Xhoenix, thanks for this change!

I would like to propose adding the following classes for XXE related payloads (source https://rules.sonarsource.com/java/RSPEC-2755/ How can I fix it) :

javax.xml.stream
org.dom4j.io.SAXReader
org.jdom2.input.SAXBuilder
org.xml.sax

@Xhoenix
Copy link
Member Author

Xhoenix commented Apr 4, 2025

People are welcome to provide suggestions. :)

@theseion
Copy link
Contributor

theseion commented Apr 5, 2025

@Xhoenix If we're going to modify the rule with the Java errors to use a regex, it would make sense to do the same here.

@Xhoenix
Copy link
Member Author

Xhoenix commented Apr 7, 2025

@Xhoenix If we're going to modify the rule with the Java errors to use a regex, it would make sense to do the same here.

You're right, it would definitely make sense to do so. I checked and looks like the regex is going to be more complex in this case, and as per pmFromFile documentation it's better to use the operator than using regex for larger sets. Should we still proceed with the change or add this to today's agenda for discussion?

@fzipi fzipi mentioned this pull request Apr 7, 2025
Closed
@Xhoenix Xhoenix added the release:new-detection In this PR we introduce a new detection label May 5, 2025
@fzipi fzipi mentioned this pull request May 5, 2025
Closed
@Xhoenix Xhoenix added this pull request to the merge queue May 9, 2025
Merged via the queue into coreruleset:main with commit 6d31b79 May 9, 2025
6 checks passed
@Xhoenix Xhoenix deleted the add-java-classes branch May 9, 2025 03:49
@fzipi fzipi mentioned this pull request Jun 2, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EsadCetiner EsadCetiner EsadCetiner approved these changes

Assignees

No one assigned

Labels

release:new-detection In this PR we introduce a new detection

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Xhoenix @S0obi @theseion @EsadCetiner