Expression Language Injection Security Risk

[Ramos-dev]

Just like spring el\ognl\jstl,alibba QLexpress alse allow programmer to directly call the Java Object to execute the method using the java reflection mechanism,

but there is no any security restrictions that rise a security risk while editing rules, just like that poc:

so,that cause a remote code execution;
Although it is a feature, there are security risks in design.
fix：

1. Use java.lang.SecurityManager to protected JVM;
2. Prevent against by blacklist(Runtime\ ScriptEngine\FileAccess...);
3. Create a property setting that allows access to java or not.
   see more at:
   https://wooyun.js.org/drops/%E4%B8%80%E7%A7%8D%E6%96%B0%E7%9A%84%E6%94%BB%E5%87%BB%E6%96%B9%E6%B3%95%E2%80%94%E2%80%94Java-Web-Expression-Language-Injection.html
   https://www.owasp.org/index.php/Expression_Language_Injection
   http://danamodio.com/tag/expression-language-injection/
   https://www.owasp.org/images/7/7e/Owasp_SSTI_final.pdf
   @baoxingjie

[baoxingjie]

Your suggestions is very good,currently QlExpress is just a tool,it can do every things by calling java reflection methods.
As a El user and the application's owner,You should forbidden some words before calling EL executor.
By the way, I will also add a forbidden words feature in the project.