修复CVE-2023-24163漏洞

CHANGELOG.md

@@ -35,6 +35,7 @@
 * 【core  】      修复VersionComparator对1.0.3及1.0.2a比较有误的问题（pr#1043@Gitee）
 * 【core  】      修复IOS系统下，chrome 浏览器的解析规则有误（pr#1044@Gitee）
 * 【extra 】      修复多线程下Sftp中Channel关闭的问题（issue#I7OHIB@Gitee）
+* 【extra 】      修复CVE-2023-24163漏洞（issue#I6AJWJ@Gitee）
 
 -------------------------------------------------------------------------------------------------------------
 # 5.8.20(2023-06-16)

hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionEngine.java

@@ -1,20 +1,23 @@
 package cn.hutool.extra.expression;
 
+import java.util.Collection;
 import java.util.Map;
 
 /**
  * 表达式引擎API接口，通过实现此接口，完成表达式的解析和执行
  *
- * @author looll,independenter
+ * @author looll, independenter
  * @since 5.5.0
  */
 public interface ExpressionEngine {
 
 	/**
 	 * 执行表达式
-	 * @param expression 表达式
-	 * @param context 表达式上下文，用于存储表达式中所需的变量值等
+	 *
+	 * @param expression    表达式
+	 * @param context       表达式上下文，用于存储表达式中所需的变量值等
+	 * @param allowClassSet 允许的Class白名单
 	 * @return 执行结果
 	 */
-	Object eval(String expression, Map<String, Object> context);
+	Object eval(String expression, Map<String, Object> context, Collection<Class<?>> allowClassSet);
 }

hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionUtil.java

@@ -1,7 +1,9 @@
 package cn.hutool.extra.expression;
 
+import cn.hutool.core.collection.ListUtil;
 import cn.hutool.extra.expression.engine.ExpressionFactory;
 
+import java.util.Collection;
 import java.util.Map;
 
 /**
@@ -29,6 +31,19 @@ public static ExpressionEngine getEngine() {
 	 * @return 执行结果
 	 */
 	public static Object eval(String expression, Map<String, Object> context) {
-		return getEngine().eval(expression, context);
+		return eval(expression, context, ListUtil.empty());
+	}
+
+	/**
+	 * 执行表达式
+	 *
+	 * @param expression 表达式
+	 * @param context    表达式上下文，用于存储表达式中所需的变量值等
+	 * @param allowClassSet 允许的Class白名单
+	 * @return 执行结果
+	 * @since 5.8.21
+	 */
+	public static Object eval(String expression, Map<String, Object> context, Collection<Class<?>> allowClassSet) {
+		return getEngine().eval(expression, context, allowClassSet);
 	}
 }

hutool-extra/src/main/java/cn/hutool/extra/expression/engine/aviator/AviatorEngine.java

@@ -1,9 +1,13 @@
 package cn.hutool.extra.expression.engine.aviator;
 
+import cn.hutool.core.collection.CollUtil;
 import cn.hutool.extra.expression.ExpressionEngine;
 import com.googlecode.aviator.AviatorEvaluator;
 import com.googlecode.aviator.AviatorEvaluatorInstance;
+import com.googlecode.aviator.Options;
 
+import java.util.Collection;
+import java.util.Collections;
 import java.util.Map;
 
 /**
@@ -25,7 +29,10 @@ public AviatorEngine() {
 	}
 
 	@Override
-	public Object eval(String expression, Map<String, Object> context) {
+	public Object eval(String expression, Map<String, Object> context, Collection<Class<?>> allowClassSet) {
+		// issue#I6AJWJ
+		engine.setOption(Options.ALLOWED_CLASS_SET,
+			CollUtil.isEmpty(allowClassSet) ? Collections.emptySet() : CollUtil.newHashSet(allowClassSet));
 		return engine.execute(expression, context);
 	}
 

hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jexl/JexlEngine.java

@@ -4,6 +4,7 @@
 import org.apache.commons.jexl3.JexlBuilder;
 import org.apache.commons.jexl3.MapContext;
 
+import java.util.Collection;
 import java.util.Map;
 
 /**
@@ -22,7 +23,7 @@ public JexlEngine(){
 	}
 
 	@Override
-	public Object eval(String expression, Map<String, Object> context) {
+	public Object eval(String expression, Map<String, Object> context, Collection<Class<?>> allowClassSet) {
 		final MapContext mapContext = new MapContext(context);
 
 		try{

hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jfireel/JfireELEngine.java

@@ -3,6 +3,7 @@
 import cn.hutool.extra.expression.ExpressionEngine;
 import com.jfirer.jfireel.expression.Expression;
 
+import java.util.Collection;
 import java.util.Map;
 
 /**
@@ -25,7 +26,7 @@ public JfireELEngine(){
 	}
 
 	@Override
-	public Object eval(String expression, Map<String, Object> context) {
+	public Object eval(String expression, Map<String, Object> context, Collection<Class<?>> allowClassSet) {
 		return Expression.parse(expression).calculate(context);
 	}
 

hutool-extra/src/main/java/cn/hutool/extra/expression/engine/mvel/MvelEngine.java

@@ -3,6 +3,7 @@
 import cn.hutool.extra.expression.ExpressionEngine;
 import org.mvel2.MVEL;
 
+import java.util.Collection;
 import java.util.Map;
 
 /**
@@ -25,7 +26,7 @@ public MvelEngine(){
 	}
 
 	@Override
-	public Object eval(String expression, Map<String, Object> context) {
+	public Object eval(String expression, Map<String, Object> context, Collection<Class<?>> allowClassSet) {
 		return MVEL.eval(expression, context);
 	}
 

hutool-extra/src/main/java/cn/hutool/extra/expression/engine/qlexpress/QLExpressEngine.java

@@ -5,6 +5,7 @@
 import com.ql.util.express.DefaultContext;
 import com.ql.util.express.ExpressRunner;
 
+import java.util.Collection;
 import java.util.Map;
 
 /**
@@ -26,7 +27,7 @@ public QLExpressEngine() {
 	}
 
 	@Override
-	public Object eval(final String expression, final Map<String, Object> context) {
+	public Object eval(final String expression, final Map<String, Object> context, Collection<Class<?>> allowClassSet) {
 		final DefaultContext<String, Object> defaultContext = new DefaultContext<>();
 		defaultContext.putAll(context);
 		try {

hutool-extra/src/main/java/cn/hutool/extra/expression/engine/rhino/RhinoEngine.java

@@ -6,6 +6,7 @@
 import org.mozilla.javascript.Scriptable;
 import org.mozilla.javascript.ScriptableObject;
 
+import java.util.Collection;
 import java.util.Map;
 
 /**
@@ -22,7 +23,7 @@ public class RhinoEngine implements ExpressionEngine {
 	}
 
 	@Override
-	public Object eval(String expression, Map<String, Object> context) {
+	public Object eval(String expression, Map<String, Object> context, Collection<Class<?>> allowClassSet) {
 		final Context ctx = Context.enter();
 		final Scriptable scope = ctx.initStandardObjects();
 		if (MapUtil.isNotEmpty(context)) {

hutool-extra/src/main/java/cn/hutool/extra/expression/engine/spel/SpELEngine.java

@@ -6,6 +6,7 @@
 import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.expression.spel.support.StandardEvaluationContext;
 
+import java.util.Collection;
 import java.util.Map;
 
 /**
@@ -27,7 +28,7 @@ public SpELEngine(){
 	}
 
 	@Override
-	public Object eval(String expression, Map<String, Object> context) {
+	public Object eval(String expression, Map<String, Object> context, Collection<Class<?>> allowClassSet) {
 		final EvaluationContext evaluationContext = new StandardEvaluationContext();
 		context.forEach(evaluationContext::setVariable);
 		return parser.parseExpression(expression).getValue(evaluationContext);