You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello, i'm threedr3am. I found that Thymeleaf 3.0.12 version provides a new function Restricted mode to restrict the execution of statements such as T(java.lang.String) and new java.lang.String().
public static boolean containsSpELInstantiationOrStatic(final String expression) {
/*
* Checks whether the expression contains instantiation of objects ("new SomeClass") or makes use of
* static methods ("T(SomeClass)") as both are forbidden in certain contexts in restricted mode.
*/
final int explen = expression.length();
int n = explen;
int ni = 0; // index for computing position in the NEW_ARRAY
int si = -1;
char c;
while (n-- != 0) {
c = expression.charAt(n);
// When checking for the "new" keyword, we need to identify that it is not a part of a larger
// identifier, i.e. there is whitespace after it and no character that might be a part of an
// identifier before it.
if (ni < NEW_LEN
&& c == NEW_ARRAY[ni]
&& (ni > 0 || ((n + 1 < explen) && Character.isWhitespace(expression.charAt(n + 1))))) {
ni++;
if (ni == NEW_LEN && (n == 0 || !Character.isJavaIdentifierPart(expression.charAt(n - 1)))) {
return true; // we found an object instantiation
}
continue;
}
if (ni > 0) {
// We 'restart' the matching counter just in case we had a partial match
n += ni;
ni = 0;
if (si < n) {
// This has to be restarted too
si = -1;
}
continue;
}
ni = 0;
if (c == ')') {
si = n;
} else if (si > n && c == '('
&& ((n - 1 >= 0) && (expression.charAt(n - 1) == 'T'))
&& ((n - 1 == 0) || !Character.isJavaIdentifierPart(expression.charAt(n - 2)))) {
return true;
} else if (si > n && !(Character.isJavaIdentifierPart(c) || c == '.')) {
si = -1;
}
}
return false;
}
However, I found through research that this security check can be bypassed by simply changing the expression.
such as:
T(java.lang.String)
You can add a null character between T and (to bypass the detection
T (java.lang.String)
0x02 EXP
So, I can still execute commands through expressions, leading to RCE, remote command execution
Thanks for the report. Although I agree this needs to be addressed, I would not consider this a security vulnerability as such, as this behaviour cannot be provoked from the outside: this is a developer willingly finding a way to bypass a security-oriented restriction by forcing Spring EL's syntax.
danielfernandez
changed the title
Report a security vulnerability for Restricted mode bypass
Restriction for the execution of static code in restricted mode can be bypassed
Apr 25, 2021
That's right, under normal circumstances, there is no way to attack from the outside, but I found that when there is such a controller, it will be able to pass in SPEL from the outside and execute:
I found some github projects that will be affected, and there are vulnerabilities in remote command execution.
try {
// By parsing it as a standard expression, we might profit from the expression cache
fragmentExpression = (FragmentExpression) parser.parseExpression(context, "~{" + viewTemplateName + "}");
} catch (final TemplateProcessingException e) {
throw new IllegalArgumentException("Invalid template name specification: '" + viewTemplateName + "'");
}
Hello, i'm threedr3am. I found that Thymeleaf 3.0.12 version provides a new function Restricted mode to restrict the execution of statements such as T(java.lang.String) and new java.lang.String().
0x01 Vulnerability details
thymeleaf/thymeleaf#809
spring3、spring4、spring5
https://github.com/thymeleaf/thymeleaf-spring/blob/3.0-master/thymeleaf-spring3/src/main/java/org/thymeleaf/spring3/util/SpringStandardExpressionUtils.java
https://github.com/thymeleaf/thymeleaf-spring/blob/3.0-master/thymeleaf-spring4/src/main/java/org/thymeleaf/spring4/util/SpringStandardExpressionUtils.java
https://github.com/thymeleaf/thymeleaf-spring/blob/3.0-master/thymeleaf-spring5/src/main/java/org/thymeleaf/spring5/util/SpringStandardExpressionUtils.java
However, I found through research that this security check can be bypassed by simply changing the expression.
such as:
You can add a null character between T and (to bypass the detection
0x02 EXP
So, I can still execute commands through expressions, leading to RCE, remote command execution
0x03 Other
The affected projects also include: https://github.com/thymeleaf/thymeleaf-spring
The text was updated successfully, but these errors were encountered: