Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pebble Security Issue #454

Closed
securityMB opened this issue Jul 15, 2019 · 5 comments
Closed

Pebble Security Issue #454

securityMB opened this issue Jul 15, 2019 · 5 comments
Assignees
@ebussieres
Milestone
3.1.1

Comments

@securityMB
Copy link

I have found a security issue in Pebble similar to #435. Do you provide a way to report it or privately (e.g. via email) or are you okay with releasing details in the public issue?
@ebussieres
Copy link
Member

Please report it here

@securityMB
Copy link
Author

Thank you for quick answer.

So Pebble blocks access to getClass() but there might be other ways to get direct access to instances of java.lang.Class. Some Java classes have TYPE static field whose value is instance of java.lang.Class. An example being: java.lang.Integer.

So instead of using

{{ ''.getClass().forName('java.lang.Runtime')... }}

the attacker can use

{{ (1).TYPE.forName('java.lang.Runtime')... }}

I believe that at least on of the following can be done to limit the risk:

  • Check whether any method or field returns an instance of java.lang.Class and block it if it does,
  • Block certain methods that are commonly used to execute arbitrary Java code. FreeMarker, for instance, has a file unsafeMethods.properties with several dozen methods that are considered unsafe for templating.

@ebussieres
Copy link
Member

I like the freeMarker approch ... could you make a PR for this ?

@securityMB
Copy link
Author

@ebussieres I'd love to but I've never actually programmed in Java so I don't really feel confident about doing it right.

@ebussieres ebussieres self-assigned this Sep 6, 2019
@ebussieres ebussieres added this to the 3.1.1 milestone Sep 6, 2019
ebussieres added a commit that referenced this issue Sep 6, 2019
@ebussieres
#454: Use a list of unsafeMethods and rename allowGetClass to allowUn…
102b044 
…safeMethods
ebussieres added a commit that referenced this issue Sep 6, 2019
@ebussieres
#454: Use a list of unsafeMethods and rename allowGetClass to allowUn…
dcf5609 
…safeMethods
ebussieres added a commit that referenced this issue Sep 6, 2019
@ebussieres
#454: Use a list of unsafeMethods and rename allowGetClass to allowUn…
d1d2c14 
…safeMethods (#473)
@ebussieres
Copy link
Member

Gonna be fixed in next release

@dependabot-preview dependabot-preview bot mentioned this issue Nov 18, 2019
Merged
@ismai1337 ismai1337 mentioned this issue Dec 18, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ebussieres ebussieres

Labels
None yet
Projects
None yet
Milestone
3.1.1
Development

No branches or pull requests
2 participants
@ebussieres @securityMB