Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expression Injection Vulnerability report #118

Open
LQxdu opened this issue Feb 12, 2025 · 0 comments
Open

Expression Injection Vulnerability report #118

LQxdu opened this issue Feb 12, 2025 · 0 comments

Comments

@LQxdu
Copy link

LQxdu commented Feb 12, 2025

Summary

OperaPrestoDriver utilizes the commons-jxpath library’s APIs to parse collection JXPath queries but lacks essential security configurations. The commons-jxpath library provides powerful expression parsing and evaluation capabilities, including the ability to access and invoke related methods. As a result, attackers can inject carefully crafted expressions to exploit these features, potentially invoking security-sensitive methods and executing arbitrary commands.

Vulnerable code

For example, in AbstractService.xpathIterator and AbstractService.xpathPointer methods.

public Pointer xpathPointer(Collection<?> collection, String query) {
    JXPathContext pathContext = JXPathContext.newContext(collection); // without disabling functions (e.g., setLenient(false)) or restricting access to Java classes.
    Pointer result = null;

    try {
      result = pathContext.getPointer(query); // sink
    } catch (JXPathNotFoundException e) {
      logger.warning(String.format("JXPath exception: %s", e.getMessage()));
    }

    return result;
  }

public Iterator<?> xpathIterator(Collection<?> collection, String query) {
    JXPathContext pathContext = JXPathContext.newContext(collection);
    Iterator<?> result = null;

    try {
      result = pathContext.iteratePointers(query);
    } catch (JXPathNotFoundException e) {
      logger.log(Level.WARNING, "JXPath exception: {0}", e.getMessage());
    }

    return result;
  }

Potential Attack Impact

Remote Code Execution.

Recommended Mitigation Measures (Refer to the patch for CVE-2024-36404: geotools/geotools@f0c9961)

public Pointer xpathPointer(Collection<?> collection, String query) {
    JXPathContext pathContext = JXPathContext.newContext(collection);
+  pathContext.setFunctions(new FunctionLibrary()); // Set empty function library to prevent calling functions
    Pointer result = null;

    try {
      result = pathContext.getPointer(query); 
    } catch (JXPathNotFoundException e) {
      logger.warning(String.format("JXPath exception: %s", e.getMessage()));
    }

    return result;
  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LQxdu