From adadb14a280abe5436d248078fffa92233798b72 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=87=B4=E4=BF=A1?= <zefeng.czf@alibaba-inc.com>
Date: Sun, 16 Mar 2025 14:50:58 +0800
Subject: [PATCH 1/2] feat: add /CommandInject2.java

---
 .../joychou/controller/CommandInject2.java    | 63 +++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 src/main/java/org/joychou/controller/CommandInject2.java

diff --git a/src/main/java/org/joychou/controller/CommandInject2.java b/src/main/java/org/joychou/controller/CommandInject2.java
new file mode 100644
index 00000000..a1a99035
--- /dev/null
+++ b/src/main/java/org/joychou/controller/CommandInject2.java
@@ -0,0 +1,63 @@
+package org.joychou.controller;
+
+import org.joychou.security.SecurityUtil;
+import org.joychou.util.WebUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+@RestController
+public class CommandInject {
+
+    protected final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    /**
+     * http://localhost:8080/codeinject?filepath=/tmp;cat /etc/passwd
+     *
+     * @param filepath filepath
+     * @return result
+     */
+    @GetMapping("/codeinject")
+    public String codeInject(String filepath) throws IOException {
+
+        String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
+        ProcessBuilder builder = new ProcessBuilder(cmdList);
+        builder.redirectErrorStream(true);
+        Process process = builder.start();
+        return WebUtils.convertStreamToString(process.getInputStream());
+    }
+
+    /**
+     * Host Injection
+     * Host: hacked by joychou;cat /etc/passwd
+     * http://localhost:8080/codeinject/host
+     */
+    @GetMapping("/codeinject/host")
+    public String codeInjectHost(HttpServletRequest request) throws IOException {
+
+        String host = request.getHeader("host");
+        logger.info(host);
+        String[] cmdList = new String[]{"sh", "-c", "curl " + host};
+        ProcessBuilder builder = new ProcessBuilder(cmdList);
+        builder.redirectErrorStream(true);
+        Process process = builder.start();
+        return WebUtils.convertStreamToString(process.getInputStream());
+    }
+
+    @GetMapping("/codeinject/sec")
+    public String codeInjectSec(String filepath) throws IOException {
+        String filterFilePath = SecurityUtil.cmdFilter(filepath);
+        if (null == filterFilePath) {
+            return "Bad boy. I got u.";
+        }
+        String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
+        ProcessBuilder builder = new ProcessBuilder(cmdList);
+        builder.redirectErrorStream(true);
+        Process process = builder.start();
+        return WebUtils.convertStreamToString(process.getInputStream());
+    }
+}

From 138578b6d53d025b3622b808fccbb0ea023f9e04 Mon Sep 17 00:00:00 2001
From: CF <535676766@qq.com>
Date: Sun, 16 Mar 2025 16:31:01 +0800
Subject: [PATCH 2/2] Update
 src/main/java/org/joychou/controller/CommandInject2.java

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---
 src/main/java/org/joychou/controller/CommandInject2.java | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/joychou/controller/CommandInject2.java b/src/main/java/org/joychou/controller/CommandInject2.java
index a1a99035..96223076 100644
--- a/src/main/java/org/joychou/controller/CommandInject2.java
+++ b/src/main/java/org/joychou/controller/CommandInject2.java
@@ -41,7 +41,12 @@ public String codeInjectHost(HttpServletRequest request) throws IOException {
 
         String host = request.getHeader("host");
         logger.info(host);
-        String[] cmdList = new String[]{"sh", "-c", "curl " + host};
+        // 使用白名单或其他防护措施，如仅允许合法域名
+        String safeHost = SecurityUtil.hostFilter(host);
+        if (safeHost == null) {
+            throw new IllegalArgumentException("非法或危险的host");
+        }
+        String[] cmdList = new String[]{"sh", "-c", "curl " + safeHost};
         ProcessBuilder builder = new ProcessBuilder(cmdList);
         builder.redirectErrorStream(true);
         Process process = builder.start();