Merge pull request #303 from logzio/DEV-31880-FIX-MUSTCHE-PARTIALS-VU…

…LNERABILITY disallow using Mustache Partials
logzio · May 17, 2022 · ac5d4c9 · ac5d4c9
2 parents bc804b5 + 94d223b
commit ac5d4c9
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 14 deletions.
diff --git a/pom.xml b/pom.xml
@@ -143,7 +143,7 @@
             <dependency>
                 <groupId>com.github.spullara.mustache.java</groupId>
                 <artifactId>compiler</artifactId>
-                <version>0.9.2</version>
+                <version>0.9.10</version>
             </dependency>
   			<dependency>
                 <groupId>org.apache.commons</groupId>

diff --git a/sawmill-core/src/main/java/io/logz/sawmill/TemplateService.java b/sawmill-core/src/main/java/io/logz/sawmill/TemplateService.java
@@ -4,6 +4,8 @@
 import com.github.mustachejava.MustacheFactory;
 import io.logz.sawmill.exceptions.SawmillException;
 
+import io.logz.sawmill.mustache.factories.UnescapedMustacheFactory;
+import io.logz.sawmill.mustache.factories.UnescapedWithJsonStringMustacheFactory;
 import java.io.StringReader;
 import java.io.StringWriter;
 import java.util.Arrays;

diff --git a/...re/src/main/java/io/logz/sawmill/mustache/factories/SafeMustacheCustomVisitorFactory.java b/...re/src/main/java/io/logz/sawmill/mustache/factories/SafeMustacheCustomVisitorFactory.java
@@ -0,0 +1,24 @@
+package io.logz.sawmill.mustache.factories;
+
+import com.github.mustachejava.DefaultMustacheVisitor;
+import com.github.mustachejava.MustacheException;
+import com.github.mustachejava.MustacheVisitor;
+import com.github.mustachejava.SafeMustacheFactory;
+import com.github.mustachejava.TemplateContext;
+import java.util.Collections;
+
+public class SafeMustacheCustomVisitorFactory extends SafeMustacheFactory {
+
+    public SafeMustacheCustomVisitorFactory() {
+        super(Collections.emptySet(), "."); // disallow any resource reference
+    }
+
+    @Override
+    public MustacheVisitor createMustacheVisitor() {
+        return new DefaultMustacheVisitor(this) {
+            public void pragma(TemplateContext tc, String pragma, String args) {
+                throw new MustacheException("Disallowed: pragmas in templates");
+            }
+        };
+    }
+}
diff --git a/...ogz/sawmill/UnescapedMustacheFactory.java → ...e/factories/UnescapedMustacheFactory.java b/...ogz/sawmill/UnescapedMustacheFactory.java → ...e/factories/UnescapedMustacheFactory.java
@@ -1,20 +1,16 @@
-package io.logz.sawmill;
+package io.logz.sawmill.mustache.factories;
 
-import com.github.mustachejava.DefaultMustacheFactory;
 import com.github.mustachejava.MustacheException;
 import com.github.mustachejava.reflect.ReflectionObjectHandler;
-
 import java.io.IOException;
 import java.io.Writer;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
-public class UnescapedMustacheFactory extends DefaultMustacheFactory {
+public class UnescapedMustacheFactory extends SafeMustacheCustomVisitorFactory {
     public UnescapedMustacheFactory() {
-        super();
-
         this.setObjectHandler(new ListTransformObjectHandler());
     }
 

diff --git a/...escapedWithJsonStringMustacheFactory.java → ...escapedWithJsonStringMustacheFactory.java b/...escapedWithJsonStringMustacheFactory.java → ...escapedWithJsonStringMustacheFactory.java
@@ -1,21 +1,17 @@
-package io.logz.sawmill;
+package io.logz.sawmill.mustache.factories;
 
-import com.github.mustachejava.DefaultMustacheFactory;
 import com.github.mustachejava.MustacheException;
 import com.github.mustachejava.reflect.ReflectionObjectHandler;
 import io.logz.sawmill.utilities.JsonUtils;
-
 import java.io.IOException;
 import java.io.Writer;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
-public class UnescapedWithJsonStringMustacheFactory extends DefaultMustacheFactory {
+public class UnescapedWithJsonStringMustacheFactory extends SafeMustacheCustomVisitorFactory {
     public UnescapedWithJsonStringMustacheFactory() {
-        super();
-
         this.setObjectHandler(new ListTransformObjectHandler());
     }
 

diff --git a/sawmill-core/src/test/java/io/logz/sawmill/TemplateTest.java b/sawmill-core/src/test/java/io/logz/sawmill/TemplateTest.java
@@ -1,5 +1,6 @@
 package io.logz.sawmill;
 
+import com.github.mustachejava.MustacheException;
 import com.google.common.collect.ImmutableMap;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -86,6 +87,13 @@ public void testNullContext() {
         assertThat(value).isEqualTo(" señor , Have a good day");
     }
 
+    @Test
+    public void testInvalidAccessWithMustachePartials() {
+        assertThatThrownBy(() -> new TemplateService().createTemplate("This is my host file content:\n {{>/etc/hosts}}"))
+                .isInstanceOf(MustacheException.class)
+                .hasMessageContaining("Disallowed: resource requested");
+    }
+
     @Test
     public void testDateTemplate() {
         String dateFormat = "dd.MM.yyyy";
@@ -102,7 +110,8 @@ public void testInvalidDateTemplate() {
         Template template = new TemplateService().createTemplate("Today is {{#dateTemplate}}" + dateFormat + "{{/dateTemplate}}");
         Doc doc = createDoc("field1", "value1");
 
-        assertThatThrownBy(() -> template.render(doc)).isInstanceOf(IllegalArgumentException.class);
+        assertThatThrownBy(() -> template.render(doc)).isInstanceOf(MustacheException.class)
+                                                      .hasCauseExactlyInstanceOf(IllegalArgumentException.class);
     }
 
     @Test