1. The standard way to mitigate this kind of thing is to have a list of valid values for the dataSource variable and validate against that list before doing the lookup.

    Theoretically something along these lines would work:

     List<String> lookup = new ArrayList<>();
 lookup.add("datasource1");
 lookup.add("datasource2");
 lookup.add("datasource3");
 ....

 if (lookup.contains(userInputDatasource)) {
     doLookup(userInputDatasource);
 } else {
     throw Exception("Datasource not found;")
 }

  2. JavaScript eval is not recommended:

eval() function is evil, never use it. Needing to use eval usually indicates a problem in your design.

That said a similar approach to the above could be used to verify the input only contains valid values

Answer from peater on Stack Overflow
🌐
Stack Overflow
stackoverflow.com › questions › 42919002 › dynamic-code-evaluation-jndi-reference-injection-dynamic-code-evaluation-code
Dynamic Code Evaluation: JNDI Reference Injection/Dynamic Code Evaluation: Code Injection - Stack Overflow
Top answer
1 of 1
3

  1. The standard way to mitigate this kind of thing is to have a list of valid values for the dataSource variable and validate against that list before doing the lookup.

    Theoretically something along these lines would work:

     List<String> lookup = new ArrayList<>();
 lookup.add("datasource1");
 lookup.add("datasource2");
 lookup.add("datasource3");
 ....

 if (lookup.contains(userInputDatasource)) {
     doLookup(userInputDatasource);
 } else {
     throw Exception("Datasource not found;")
 }

  2. JavaScript eval is not recommended:

eval() function is evil, never use it. Needing to use eval usually indicates a problem in your design.

That said a similar approach to the above could be used to verify the input only contains valid values

🌐
Fortify
vulncat.fortify.com › en › detail
Software Security | Dynamic Code Evaluation: JNDI Reference Injection
Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others. ... The program runs a JNDI lookup with an untrusted address that might enable an attacker to run arbitrary Java code remotely.
Discussions
java - Dynamic Code Evaluation: JNDI Reference Injection Logging unmarshalled object - Stack Overflow
I have a code like below, unfortunately fortify scan reports a JNDI reference injection here. More on stackoverflow.com
🌐 stackoverflow.com
java - Dynamic Code Evaluation: Unsafe Deserialization Fortify Issue - Stack Overflow
Communities for your favorite technologies. Explore all Collectives · Stack Overflow for Teams is now called Stack Internal. Bring the best of human thought and AI automation together at your work More on stackoverflow.com
🌐 stackoverflow.com
Dynamic Code Evaluation: Unsafe Deserialization (Spring Boot 2) - how to avoid actuator related fortify issue, or is it a false positive?
Dynamic Code Evaluation: Unsafe Deserialization (Spring Boot 2) - how to avoid actuator related fortify issue, or is it a false positive? how to avoid this problem? More on github.com
🌐 github.com
4
June 13, 2019
Dynamic Code Evaluation validation not picked by SCA
Hello, In my Java application, I have JavaScript Engine loaded at run time to evaluate a formula in JavaScript. The source of this formula is from a database table More on community.microfocus.com
🌐 community.microfocus.com
1
0
February 16, 2015
🌐
GitHub
github.com › github › codeql › issues › 7621
Need help on JNDI injection query, does not work for log4j test project · Issue #7621 · github/codeql
January 17, 2022 - I've created a simple log4j project: log4j-test.zip It uses log4j 2.11 which is vulnerable to JNDI injection, and I've verified the vulnerability exists. Now I need to verify codeql also works. So I created the java database with: codeql...
🌐
CopyProgramming
copyprogramming.com › howto › dynamic-code-evaluation-jndi-reference-injection
Jndi: JNDI reference injection through dynamic code evaluation
June 4, 2023 - During one of my modules, I completed fortify sca and was evaluated on Dynamic Code for JNDI Reference Injection.
🌐
Stack Overflow
stackoverflow.com › questions › 73260110 › dynamic-code-evaluation-jndi-reference-injection-logging-unmarshalled-object
java - Dynamic Code Evaluation: JNDI Reference Injection Logging unmarshalled object - Stack Overflow
I have a code like below, unfortunately fortify scan reports a JNDI reference injection here. How could that happen for a unmarshalled java object? var response = restTemplate.exchange("url&qu...
🌐
Fortify
vulncat.fortify.com › en › detail
Dynamic Code Evaluation: Code Injection - Fortify Taxonomy
Example: In this classic code injection example, the application implements a basic calculator that allows the user to specify commands for execution. ... public static object CEval(string sCSCode) { CodeDomProvider icc = CodeDomProvider.CreateProvider("CSharp"); CompilerParameters cparam = new CompilerParameters(); cparam.ReferencedAssemblies.Add("system.dll"); cparam.CompilerOptions = "/t:library"; cparam.GenerateInMemory = true; StringBuilder sb_code = new StringBuilder(""); sb_code.Append("using System;\n"); sb_code.Append("namespace Fortify_CodeEval{ \n"); sb_code.Append("public class For
🌐
Shadow-soft
shadow-soft.com › content › hot-fixing-log4j-jndi-in-java-1-6-no-updates-required
Hot Fixing Log4j JNDI in Java 1.6+ (No updates required)
August 28, 2024 - Resolve the format string to “(log4j jndi disabled)” in the log message (to prevent transitive injections).
🌐
Google Groups
groups.google.com › g › 3ovhs7 › c › wqGs9G3feW4
Dynamic Code Evaluation Code Injection Fix
This article is changing the plan ... injection into dynamically executing function that the web · The dynamic sql injection fortify sca, it directly evaluates those....
Find elsewhere
🌐
Stack Overflow
stackoverflow.com › questions › 58752294 › dynamic-code-evaluation-unsafe-deserialization-fortify-issue
java - Dynamic Code Evaluation: Unsafe Deserialization Fortify Issue - Stack Overflow
Top answer
1 of 3
4

ObjectMessage objects depend on Java serialization to marshal and unmarshal their object payload. This process is generally considered unsafe, because a malicious payload can exploit the host system. Lots of CVEs have been created for this. For this reason, most JMS providers force users to explicitly whitelist packages that can be exchanged using ObjectMessage messages. For example, here's the related documentation for ActiveMQ Artemis.

There is no magic code fix for this issue that will eliminate the warning from Fortify aside from removing the use of ObjectMessage from your code altogether (which is what I would actually recommend).

There are a number of other issues with using JMS ObjectMessage not related to security that you should read about.

2 of 3
0

Another option (depending on your scenario), if you don't have access to the JMS provider or they don't provide this feature, is to use a (lookahead) ValidatingInputStream in your code so you can whitelist internally.

  • https://docs.oracle.com/javacomponents/jmc/api/common/org/openjdk/jmc/common/io/ValidatingObjectInputStream.html
🌐
Veracode
veracode.com › home › exploiting jndi injections in java
Exploiting JNDI Injections in Java | Veracode
March 13, 2025 - This technique worked well up to Java 8u121 when Oracle added codebase restrictions to RMI. After that, it was possible to use a malicious LDAP server returning the same reference, as described in the “A Journey from JNDI/LDAP manipulation ...
🌐
Medium
medium.com › @yany.dong › jndi-injection-series-rmi-vector-the-final-piece-of-the-puzzle-b6a65c4ab330
JNDI Injection Series: RMI Vector — The Final Piece of The Puzzle | by Yani | OSINT Team
October 7, 2024 - In this blog, we will see how to ... controlled RMI server. JNDI (Java Naming and Directory Interface) is a Java API that allows clients to discover and look up data and objects via a name....
🌐
SonarSource
rules.sonarsource.com › java › rspec-5334
Dynamic code execution should not be vulnerable to ...
Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code
🌐
GitHub
github.com › spring-projects › spring-boot › issues › 17137
Dynamic Code Evaluation: Unsafe Deserialization (Spring Boot 2) - how to avoid actuator related fortify issue, or is it a false positive? · Issue #17137 · spring-projects/spring-boot
June 13, 2019 - Dynamic Code Evaluation: Unsafe Deserialization (Spring Boot 2) - how to avoid actuator related fortify issue, or is it a false positive?#17137
Author   dongdongqin
🌐
Micro Focus
community.microfocus.com › cyberres › fortify › f › discussions › 343940 › dynamic-code-evaluation-validation-not-picked-by-sca
Dynamic Code Evaluation validation not picked by SCA - Fortify User Discussions - OpenText Fortify
February 16, 2015 - Can somebody let me know if one is required to write a custom datacleanse rule for HP Fortify to detect this? ... Not sure in your specific case but most likely: yes, you should write your own rule to pick up the validation method ... Thank you Geert Sman for your reply. I wrote the dataflowcleanse rule it worked. TaintedFlag to be used for writing the dataflowclease rule in this case is VALIDATED_DYNAMIC_CODE_EVALUATION_CODE_INJECTION.
🌐
Stack Overflow
stackoverflow.com › questions › tagged › jndi
Recently Active 'jndi' Questions - Page 5 - Stack Overflow
I want to get the schema name from my DataSource or Connection object so that it can be used in my SQL queries dynamically. I'm using DB2 and there is no implementation of connection.getSchema() in ... ... We have a java web application which connects to queues(IBM MQ). It works fine in IBM WAS 8.5 where we have configured queue connection factories and queues in the WAS 8.5 console. The application ... ... Please explain the difference between using ldapcontext and dircontext in JNDI.
🌐
OpenText
community.opentext.com › cybersec › fortify › f › discussions › 531827 › remote-code-evaluation-jndi-reference-injection-vulnerability
JNDI Reference Injection Vulnerability - Fortify Discussions
April 4, 2025 - If an answer to your question is correct, click on "Verify Answer" under the "More" button. The answer will now appear with a checkmark. Please be sure to always mark answers that resolve your issue as verified. Your fellow Community members will appreciate it! Learn more
🌐
Stack Overflow
stackoverflow.com › questions › 56666442 › how-to-fix-fortify-dynamic-code-evaluation-script-injection-error
How to fix Fortify "Dynamic Code Evaluation: Script Injection" error
June 19, 2019 - How to Fix fortify Dynamic Code Evaluation: Script Injection error? onCommentSuccess: function (showAllComments) { $('#commentListDiv').load(location.href + ' #commentListDiv', function() { ...
🌐
Nohat
nohat.cc › s › dynamic-code-evaluation-jndi-reference-injection-fortify-fix
Dynamic code evaluation jndi reference injection fortify fix - Top vector, png, psd files on Nohat.cc
Top free images & vectors for Dynamic code evaluation jndi reference injection fortify fix in png, vector, file, black and white, logo, clipart, cartoon and transparent
🌐
Fortify
vulncat.fortify.com › en › detail
Software Security | Dynamic Code Evaluation: Code Injection
Example: In this classic code injection example, the application implements a basic calculator that allows the user to specify commands for execution. ... public static object CEval(string sCSCode) { CodeDomProvider icc = CodeDomProvider.CreateProvider("CSharp"); CompilerParameters cparam = new CompilerParameters(); cparam.ReferencedAssemblies.Add("system.dll"); cparam.CompilerOptions = "/t:library"; cparam.GenerateInMemory = true; StringBuilder sb_code = new StringBuilder(""); sb_code.Append("using System;\n"); sb_code.Append("namespace Fortify_CodeEval{ \n"); sb_code.Append("public class For
🌐
Fortify
vulncat.fortify.com › en › detail
Dynamic Code Evaluation: Script Injection - Fortify Taxonomy
However, without proper validation, a user might specify operations the programmer does not intend. Example 1: In this code injection example, a request parameter is bound into a razor template which is evaluated.