diff --git a/common/src/main/java/org/dromara/hertzbeat/common/config/AviatorConfiguration.java b/common/src/main/java/org/dromara/hertzbeat/common/config/AviatorConfiguration.java index 8ba26f2dd4e..736cec09c0e 100644 --- a/common/src/main/java/org/dromara/hertzbeat/common/config/AviatorConfiguration.java +++ b/common/src/main/java/org/dromara/hertzbeat/common/config/AviatorConfiguration.java @@ -18,6 +18,9 @@ package org.dromara.hertzbeat.common.config; import com.googlecode.aviator.AviatorEvaluator; +import com.googlecode.aviator.AviatorEvaluatorInstance; +import com.googlecode.aviator.Feature; +import com.googlecode.aviator.Options; import com.googlecode.aviator.lexer.token.OperatorType; import com.googlecode.aviator.runtime.function.AbstractFunction; import com.googlecode.aviator.runtime.type.*; @@ -42,13 +45,22 @@ public class AviatorConfiguration { @Bean public void configAviatorEvaluator() { + AviatorEvaluatorInstance instance = AviatorEvaluator.getInstance(); + // 配置AviatorEvaluator使用LRU缓存编译后的表达式 - AviatorEvaluator.getInstance() + instance .useLRUExpressionCache(AVIATOR_LRU_CACHE_SIZE) .addFunction(new StrEqualFunction()); + // 配置Aviator语法特性集合 + instance.setOption(Options.FEATURE_SET, + Feature.asSet(Feature.If, + Feature.Assignment, + Feature.Let, + Feature.StringInterpolation)); + // 配置自定义aviator函数 - AviatorEvaluator.getInstance().addOpFunction(OperatorType.BIT_OR, new AbstractFunction() { + instance.addOpFunction(OperatorType.BIT_OR, new AbstractFunction() { @Override public AviatorObject call(final Map env, final AviatorObject arg1, final AviatorObject arg2) { @@ -72,9 +84,9 @@ public String getName() { } }); - AviatorEvaluator.getInstance().addFunction(new StrContainsFunction()); - AviatorEvaluator.getInstance().addFunction(new ObjectExistsFunction()); - AviatorEvaluator.getInstance().addFunction(new StrMatchesFunction()); + instance.addFunction(new StrContainsFunction()); + instance.addFunction(new ObjectExistsFunction()); + instance.addFunction(new StrMatchesFunction()); } /** diff --git a/common/src/test/java/org/dromara/hertzbeat/common/config/AviatorConfigurationTest.java b/common/src/test/java/org/dromara/hertzbeat/common/config/AviatorConfigurationTest.java index 5fe948d7064..bb99e233429 100644 --- a/common/src/test/java/org/dromara/hertzbeat/common/config/AviatorConfigurationTest.java +++ b/common/src/test/java/org/dromara/hertzbeat/common/config/AviatorConfigurationTest.java @@ -1,6 +1,7 @@ package org.dromara.hertzbeat.common.config; import com.googlecode.aviator.AviatorEvaluator; +import com.googlecode.aviator.exception.UnsupportedFeatureException; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -96,4 +97,21 @@ void testCustomStringFunctions() { Boolean res13 = (Boolean) AviatorEvaluator.compile(expr10).execute(env); Assertions.assertFalse(res13); } + + @Test + void testRCE() { + // test if 'new' syntax is disabled to prevent RCE + Assertions.assertThrows(UnsupportedFeatureException.class, () -> { + String expr1 = "let d = new java.util.Date();\n" + + "p(type(d));\n" + + "p(d);"; + AviatorEvaluator.compile(expr1, true).execute(); + }); + // test allowed features + String expr2 = "let a = 0;\n" + + "if (\"#{a}\" == \"0\") { a = -1; }\n" + + "a == -1"; + Boolean result = (Boolean) AviatorEvaluator.compile(expr2, true).execute(); + Assertions.assertTrue(result); + } }