From 2ff95ea04a799fc3e87f9a33395789219e7bceb9 Mon Sep 17 00:00:00 2001
From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com>
Date: Fri, 15 Mar 2024 15:33:55 +0100
Subject: [PATCH 1/4] Add JSP sample

---
 rules/S5334/java/how-to-fix-it/jsp.adoc | 53 +++++++++++++++++++++++++
 rules/S5334/java/rule.adoc              |  2 +
 2 files changed, 55 insertions(+)
 create mode 100644 rules/S5334/java/how-to-fix-it/jsp.adoc

diff --git a/rules/S5334/java/how-to-fix-it/jsp.adoc b/rules/S5334/java/how-to-fix-it/jsp.adoc
new file mode 100644
index 00000000000..3e59f5ac8f8
--- /dev/null
+++ b/rules/S5334/java/how-to-fix-it/jsp.adoc
@@ -0,0 +1,53 @@
+== How to fix it in JSP
+
+=== Code examples
+
+The following code is vulnerable to arbitrary code execution because it compiles
+and runs HTTP data.
+
+==== Noncompliant code example
+
+[source,java,diff-id=21,diff-type=noncompliant]
+----
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<spring:eval expression="${tainted}" var="result"/>
+----
+
+==== Compliant solution
+
+It is not possible to securely include user input in a SpEL expression inside of
+the template. Evaluate the expression in the controller and pass the result to
+the template instead.
+
+[source,java,diff-id=21,diff-type=compliant]
+----
+import org.springframework.expression.Expression;
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.ui.Model;
+
+@Controller
+public class ExampleController
+{
+    @GetMapping(value = "/")
+    public void exec(@RequestParam("message") String message, Model model) {
+        StandardEvaluationContext evaluationContext = new StandardEvaluationContext();
+        evaluationContext.setVariable("msg", message);
+
+        ExpressionParser parser = new SpelExpressionParser();
+        Expression exp = parser.parseExpression("#msg");
+        String result = (String) exp.getValue(evaluationContext);
+        model.addAttribute("result", result);
+    }
+}
+----
+
+=== How does this work?
+
+include::../../common/fix/introduction.adoc[]
+
+include::../../common/fix/parameters.adoc[]
+
+The compliant code example uses such an approach.
+
+include::../../common/fix/allowlist.adoc[]
diff --git a/rules/S5334/java/rule.adoc b/rules/S5334/java/rule.adoc
index c50eb45077e..04c147dee25 100644
--- a/rules/S5334/java/rule.adoc
+++ b/rules/S5334/java/rule.adoc
@@ -8,6 +8,8 @@ include::../impact.adoc[]
 
 include::how-to-fix-it/commons-compiler.adoc[]
 
+include::how-to-fix-it/jsp.adoc[]
+
 == Resources
 
 include::../common/resources/articles.adoc[]

From 728dfcce0624cf3d767b6fbedca2778d08c4fdd2 Mon Sep 17 00:00:00 2001
From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com>
Date: Fri, 15 Mar 2024 15:57:43 +0100
Subject: [PATCH 2/4] Add CWE

---
 rules/S5334/java/metadata.json | 8 +++++++-
 rules/S5334/java/rule.adoc     | 2 ++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/rules/S5334/java/metadata.json b/rules/S5334/java/metadata.json
index 17971333806..ba26c5fedbe 100644
--- a/rules/S5334/java/metadata.json
+++ b/rules/S5334/java/metadata.json
@@ -1,3 +1,9 @@
 {
-  
+    "securityStandards": {
+        "CWE": [
+          20,
+          95,
+          917
+        ]
+      }
 }
diff --git a/rules/S5334/java/rule.adoc b/rules/S5334/java/rule.adoc
index 04c147dee25..3a8217b0d22 100644
--- a/rules/S5334/java/rule.adoc
+++ b/rules/S5334/java/rule.adoc
@@ -16,6 +16,8 @@ include::../common/resources/articles.adoc[]
 
 include::../common/resources/standards.adoc[]
 
+* CWE - https://cwe.mitre.org/data/definitions/917[CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')]
+
 ifdef::env-github,rspecator-view[]
 
 '''

From de1533f946c61bc3d6abdc3f0e9f98ae0435d90e Mon Sep 17 00:00:00 2001
From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com>
Date: Fri, 15 Mar 2024 16:48:41 +0100
Subject: [PATCH 3/4] Fix metadata

---
 rules/S5334/java/metadata.json | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/rules/S5334/java/metadata.json b/rules/S5334/java/metadata.json
index ba26c5fedbe..4e6322505ac 100644
--- a/rules/S5334/java/metadata.json
+++ b/rules/S5334/java/metadata.json
@@ -4,6 +4,24 @@
           20,
           95,
           917
+        ],
+        "OWASP": [
+          "A1"
+        ],
+        "OWASP Top 10 2021": [
+          "A3"
+        ],
+        "PCI DSS 3.2": [
+          "6.5.1"
+        ],
+        "PCI DSS 4.0": [
+          "6.2.4"
+        ],
+        "ASVS 4.0": [
+          "5.1.3",
+          "5.1.4",
+          "5.2.4",
+          "5.5.4"
         ]
       }
 }

From f5ccf927be455df47e169d883b55785ad9b78507 Mon Sep 17 00:00:00 2001
From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com>
Date: Mon, 24 Jun 2024 16:47:05 +0200
Subject: [PATCH 4/4] Add STIG to metadata

---
 rules/S5334/java/metadata.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/S5334/java/metadata.json b/rules/S5334/java/metadata.json
index 4e6322505ac..5ba7b8e142d 100644
--- a/rules/S5334/java/metadata.json
+++ b/rules/S5334/java/metadata.json
@@ -22,6 +22,9 @@
           "5.1.4",
           "5.2.4",
           "5.5.4"
+        ],
+        "STIG ASD 2023-06-08": [
+          "V-222609"
         ]
       }
 }