From 0eee7eadc7267641fd53ceabb9e956a112b71c29 Mon Sep 17 00:00:00 2001 From: Looly Date: Sat, 29 Jul 2023 13:56:02 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DCVE-2023-24163=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 1 + .../extra/expression/ExpressionEngine.java | 11 +++++++---- .../hutool/extra/expression/ExpressionUtil.java | 17 ++++++++++++++++- .../engine/aviator/AviatorEngine.java | 9 ++++++++- .../expression/engine/jexl/JexlEngine.java | 3 ++- .../engine/jfireel/JfireELEngine.java | 3 ++- .../expression/engine/mvel/MvelEngine.java | 3 ++- .../engine/qlexpress/QLExpressEngine.java | 3 ++- .../expression/engine/rhino/RhinoEngine.java | 3 ++- .../expression/engine/spel/SpELEngine.java | 3 ++- 10 files changed, 44 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ab0a72311f..5acaefc93a 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,7 @@ * 【core 】 修复VersionComparator对1.0.3及1.0.2a比较有误的问题(pr#1043@Gitee) * 【core 】 修复IOS系统下,chrome 浏览器的解析规则有误(pr#1044@Gitee) * 【extra 】 修复多线程下Sftp中Channel关闭的问题(issue#I7OHIB@Gitee) +* 【extra 】 修复CVE-2023-24163漏洞(issue#I6AJWJ@Gitee) ------------------------------------------------------------------------------------------------------------- # 5.8.20(2023-06-16) diff --git a/hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionEngine.java b/hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionEngine.java index 824e7942e8..fba9896f12 100644 --- a/hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionEngine.java +++ b/hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionEngine.java @@ -1,20 +1,23 @@ package cn.hutool.extra.expression; +import java.util.Collection; import java.util.Map; /** * 表达式引擎API接口,通过实现此接口,完成表达式的解析和执行 * - * @author looll,independenter + * @author looll, independenter * @since 5.5.0 */ public interface ExpressionEngine { /** * 执行表达式 - * @param expression 表达式 - * @param context 表达式上下文,用于存储表达式中所需的变量值等 + * + * @param expression 表达式 + * @param context 表达式上下文,用于存储表达式中所需的变量值等 + * @param allowClassSet 允许的Class白名单 * @return 执行结果 */ - Object eval(String expression, Map context); + Object eval(String expression, Map context, Collection> allowClassSet); } diff --git a/hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionUtil.java b/hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionUtil.java index fb2bd34489..e4539da466 100644 --- a/hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionUtil.java +++ b/hutool-extra/src/main/java/cn/hutool/extra/expression/ExpressionUtil.java @@ -1,7 +1,9 @@ package cn.hutool.extra.expression; +import cn.hutool.core.collection.ListUtil; import cn.hutool.extra.expression.engine.ExpressionFactory; +import java.util.Collection; import java.util.Map; /** @@ -29,6 +31,19 @@ public static ExpressionEngine getEngine() { * @return 执行结果 */ public static Object eval(String expression, Map context) { - return getEngine().eval(expression, context); + return eval(expression, context, ListUtil.empty()); + } + + /** + * 执行表达式 + * + * @param expression 表达式 + * @param context 表达式上下文,用于存储表达式中所需的变量值等 + * @param allowClassSet 允许的Class白名单 + * @return 执行结果 + * @since 5.8.21 + */ + public static Object eval(String expression, Map context, Collection> allowClassSet) { + return getEngine().eval(expression, context, allowClassSet); } } diff --git a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/aviator/AviatorEngine.java b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/aviator/AviatorEngine.java index a527e089bf..b1cd35fb63 100644 --- a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/aviator/AviatorEngine.java +++ b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/aviator/AviatorEngine.java @@ -1,9 +1,13 @@ package cn.hutool.extra.expression.engine.aviator; +import cn.hutool.core.collection.CollUtil; import cn.hutool.extra.expression.ExpressionEngine; import com.googlecode.aviator.AviatorEvaluator; import com.googlecode.aviator.AviatorEvaluatorInstance; +import com.googlecode.aviator.Options; +import java.util.Collection; +import java.util.Collections; import java.util.Map; /** @@ -25,7 +29,10 @@ public AviatorEngine() { } @Override - public Object eval(String expression, Map context) { + public Object eval(String expression, Map context, Collection> allowClassSet) { + // issue#I6AJWJ + engine.setOption(Options.ALLOWED_CLASS_SET, + CollUtil.isEmpty(allowClassSet) ? Collections.emptySet() : CollUtil.newHashSet(allowClassSet)); return engine.execute(expression, context); } diff --git a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jexl/JexlEngine.java b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jexl/JexlEngine.java index c6e2e1b53d..c086752e93 100644 --- a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jexl/JexlEngine.java +++ b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jexl/JexlEngine.java @@ -4,6 +4,7 @@ import org.apache.commons.jexl3.JexlBuilder; import org.apache.commons.jexl3.MapContext; +import java.util.Collection; import java.util.Map; /** @@ -22,7 +23,7 @@ public JexlEngine(){ } @Override - public Object eval(String expression, Map context) { + public Object eval(String expression, Map context, Collection> allowClassSet) { final MapContext mapContext = new MapContext(context); try{ diff --git a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jfireel/JfireELEngine.java b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jfireel/JfireELEngine.java index 9c6cd3f796..7c4c8fc465 100644 --- a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jfireel/JfireELEngine.java +++ b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/jfireel/JfireELEngine.java @@ -3,6 +3,7 @@ import cn.hutool.extra.expression.ExpressionEngine; import com.jfirer.jfireel.expression.Expression; +import java.util.Collection; import java.util.Map; /** @@ -25,7 +26,7 @@ public JfireELEngine(){ } @Override - public Object eval(String expression, Map context) { + public Object eval(String expression, Map context, Collection> allowClassSet) { return Expression.parse(expression).calculate(context); } diff --git a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/mvel/MvelEngine.java b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/mvel/MvelEngine.java index bc84d9cc03..b580418818 100644 --- a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/mvel/MvelEngine.java +++ b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/mvel/MvelEngine.java @@ -3,6 +3,7 @@ import cn.hutool.extra.expression.ExpressionEngine; import org.mvel2.MVEL; +import java.util.Collection; import java.util.Map; /** @@ -25,7 +26,7 @@ public MvelEngine(){ } @Override - public Object eval(String expression, Map context) { + public Object eval(String expression, Map context, Collection> allowClassSet) { return MVEL.eval(expression, context); } diff --git a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/qlexpress/QLExpressEngine.java b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/qlexpress/QLExpressEngine.java index d941685d14..1103931617 100755 --- a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/qlexpress/QLExpressEngine.java +++ b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/qlexpress/QLExpressEngine.java @@ -5,6 +5,7 @@ import com.ql.util.express.DefaultContext; import com.ql.util.express.ExpressRunner; +import java.util.Collection; import java.util.Map; /** @@ -26,7 +27,7 @@ public QLExpressEngine() { } @Override - public Object eval(final String expression, final Map context) { + public Object eval(final String expression, final Map context, Collection> allowClassSet) { final DefaultContext defaultContext = new DefaultContext<>(); defaultContext.putAll(context); try { diff --git a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/rhino/RhinoEngine.java b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/rhino/RhinoEngine.java index 9bc1836059..7e2d406cb6 100644 --- a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/rhino/RhinoEngine.java +++ b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/rhino/RhinoEngine.java @@ -6,6 +6,7 @@ import org.mozilla.javascript.Scriptable; import org.mozilla.javascript.ScriptableObject; +import java.util.Collection; import java.util.Map; /** @@ -22,7 +23,7 @@ public class RhinoEngine implements ExpressionEngine { } @Override - public Object eval(String expression, Map context) { + public Object eval(String expression, Map context, Collection> allowClassSet) { final Context ctx = Context.enter(); final Scriptable scope = ctx.initStandardObjects(); if (MapUtil.isNotEmpty(context)) { diff --git a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/spel/SpELEngine.java b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/spel/SpELEngine.java index d7ae0028c0..06c647dc61 100644 --- a/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/spel/SpELEngine.java +++ b/hutool-extra/src/main/java/cn/hutool/extra/expression/engine/spel/SpELEngine.java @@ -6,6 +6,7 @@ import org.springframework.expression.spel.standard.SpelExpressionParser; import org.springframework.expression.spel.support.StandardEvaluationContext; +import java.util.Collection; import java.util.Map; /** @@ -27,7 +28,7 @@ public SpELEngine(){ } @Override - public Object eval(String expression, Map context) { + public Object eval(String expression, Map context, Collection> allowClassSet) { final EvaluationContext evaluationContext = new StandardEvaluationContext(); context.forEach(evaluationContext::setVariable); return parser.parseExpression(expression).getValue(evaluationContext);