New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EL Injection in PartialViewContext #175

Open
mwulftange opened this Issue Nov 2, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@mwulftange

mwulftange commented Nov 2, 2017

There are multiple instance in the PartialViewContext.processAjaxExecutePhase(FacesContext) method where user supplied input is used as (part of) the expression of a MethodExpression:

  • request parameter _of_action (local variable action) is used in lines 546–556:
        if (action != null) {
            MethodExpression methodBinding;
            if (!action.startsWith("#{")){
                methodBinding = context.getApplication().getExpressionFactory().createMethodExpression(
                        elContext, "#{" + action + "}", String.class, new Class[]{});
            }else{
                methodBinding = context.getApplication().getExpressionFactory().createMethodExpression(
                        elContext, action, String.class, new Class[]{});
            }
            methodBinding.invoke(elContext, null);
        }
  • request parameter _of_actionListener (local variable listener) is used in lines 557–585:
        if (listener != null) {
            AjaxActionEvent event = new AjaxActionEvent(component, new Behavior() {
                public void broadcast(BehaviorEvent event) {
                    throw new UnsupportedOperationException("This method is not expected to be invoked.");
                }
            });
            event.setPhaseId(Boolean.valueOf(requestParams.get(PARAM_IMMEDIATE)) ? PhaseId.APPLY_REQUEST_VALUES : PhaseId.INVOKE_APPLICATION);
            MethodExpression methodExpression = context.getApplication().getExpressionFactory().createMethodExpression(
                    elContext, "#{" + listener + "}", void.class, new Class[]{AjaxBehaviorEvent.class});
            try {
                methodExpression.getMethodInfo(elContext);
            } catch (MethodNotFoundException e1) {
                // both actionEvent and AjaxActionEvent parameter declarations are allowed
                methodExpression = context.getApplication().getExpressionFactory().createMethodExpression(
                        elContext, "#{" + listener + "}", void.class, new Class[]{AjaxActionEvent.class});
                try {
                    methodExpression.getMethodInfo(elContext);
                } catch (MethodNotFoundException e2) {
                    Log.log("Couldn't find Ajax action handler method. Method expression: #{" + listener + "} . " +
                            "Note, the appropriate method should receive one parameter of either javax.faces.event.AjaxBehaviorEvent or " +
                            "org.openfaces.event.AjaxActionEvent type.", e2);
                    throw e2;
                }
            }
            methodExpression.invoke(elContext, new Object[]{event});
            Object listenerResult = event.getAjaxResult();
            if (listenerResult != null)
                result = listenerResult;
        }

Arbitrary EL evaluation can result in the execution of arbitrary code on the application server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment