commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Biestro (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JEXL-223) Apache Commons JEXL Expression Execute Command Vulnerabilitity
Date Tue, 25 Apr 2017 13:22:04 GMT

    [ https://issues.apache.org/jira/browse/JEXL-223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15982872#comment-15982872
] 

Henri Biestro commented on JEXL-223:
------------------------------------

For future reference:
{code}

    @Test
    public void testRestrict() throws Exception {
        JexlContext context = new MapContext();
        context.set("System", System.class);
        JexlSandbox sandbox = new JexlSandbox();
        // only allow call to currentTimeMillis (avoid exit, gc, loadLibrary, etc)
        sandbox.white("java.lang.System").execute("currentTimeMillis");
        // can not create a new file
        sandbox.black("java.io.File").execute("");
        // can not create a new process builder
        sandbox.black("java.lang.ProcessBuilder").execute("");

        JexlEngine sjexl = new JexlBuilder().sandbox(sandbox).strict(true).create();

        String expr;
        JexlScript script;
        Object result;

        script = sjexl.createScript("System.exit()");
        try {
            result = script.execute(context);
            Assert.fail("should not allow calling exit!");
        } catch (JexlException xjexl) {
            LOGGER.info(xjexl.toString());
        }

        script = sjexl.createScript("System.exit(1)");
        try {
            result = script.execute(context);
            Assert.fail("should not allow calling exit!");
        } catch (JexlException xjexl) {
            LOGGER.info(xjexl.toString());
        }

        script = sjexl.createScript("new('java.io.File', '/tmp/should-not-be-created')");
        try {
            result = script.execute(context);
            Assert.fail("should not allow creating a file");
        } catch (JexlException xjexl) {
            LOGGER.info(xjexl.toString());
        }
        
        script = sjexl.createScript(
                "new('java.lang.ProcessBuilder',"
                 + " 'touch /tmp/should-not-be-created').start()"
        );
        try {
            result = script.execute(context);
            Assert.fail("should not allow creating a process");
        } catch (JexlException xjexl) {
            LOGGER.info(xjexl.toString());
        }

        expr = "System.currentTimeMillis()";
        script = sjexl.createScript("System.currentTimeMillis()");
        result = script.execute(context);
        Assert.assertNotNull(result);
    }
{code}

And 
{code}

    @Test
    public void testFuture() throws Exception {
        JexlScript e = JEXL.createScript("while(true);");
        FutureTask<Object> future = new FutureTask<Object>(e.callable(null));

        ExecutorService executor = Executors.newFixedThreadPool(1);
        executor.submit(future);
        Object t = 42;
        try {
            t = future.get(100, TimeUnit.MILLISECONDS);
            Assert.fail("should have timed out");
        } catch (TimeoutException xtimeout) {
            // ok, ignore
            future.cancel(true);
        } finally {
            executor.shutdown();
        }

        Assert.assertTrue(future.isCancelled());
        Assert.assertEquals(42, t);
    }
{code}

> Apache Commons JEXL Expression Execute Command Vulnerabilitity
> --------------------------------------------------------------
>
>                 Key: JEXL-223
>                 URL: https://issues.apache.org/jira/browse/JEXL-223
>             Project: Commons JEXL
>          Issue Type: Bug
>    Affects Versions: 3.1
>            Reporter: cnbird
>            Priority: Critical
>
> 0x01 Summary
> Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.
> 0x02 POC
> POC Report to Apache Security Email Address security@apache.org.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message