QLinspector

October 1, 2025 ยท View on GitHub

Finding Java gadget chains with CodeQL. More information in our article

Installation

Clone the repo

$ git clone https://github.com/synacktiv/QLinspector.git

Search for gadgets:

$ codeql database analyze log4j --format=sarif-latest --output=log4j.sarif --search-path=./QLinspector/ synacktiv/qlinspector-java-queries

Queries

QLinspector.ql

The main CodeQL query that can be used to find gadget chains.

here is an example with the Aspectj gadget chain:

aspectj

Running the above query can sometimes return a lot of false positives. To filter them the GadgetSanitizer class has been added. You can add conditions to filter out DataFlow::Node:

/**
 * placeholder for adding sanitizing steps
*/
class GadgetSanitizer extends DataFlow::Node {
  GadgetSanitizer() {
    this.getEnclosingCallable().hasName("")
  }
}

QLinspectorOld.ql

Old query that was initially developped. This query do not use the taint model of CodeQL thus it could return different results.

BeanFactoryGadgetFinder.ql

A query that can be used to find new gadget chains based on the org.apache.naming.factory.BeanFactory. The BeanFactory class, allows to create an instance of arbitrary class with default constructor and call any public method with one String parameter.

More information in this blogpost: https://www.veracode.com/blog/research/exploiting-jndi-injections-java

CommonsBeanutilsGadgetFinder.ql

A query that can be used to find alternatives to the getOutputProperties method used in the CommonsBeanutils chain.

More information here:

ObjectFactoryFinder.ql

A query that can be used to find alternatives to the org.apache.naming.factory.BeanFactory. This could be usefull during JNDI exploitation.

More information in this blogpost: https://www.veracode.com/blog/research/exploiting-jndi-injections-java

Resources