spring rce mitigation

swedenconnect · Mar 31, 2022 · 1390e3c · 1390e3c
1 parent 2e3b943
commit 1390e3c
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 FROM openjdk:11-jre
 
-ADD target/cmc-ca-client-base-1.0.1-SNAPSHOT.jar /app.jar
+ADD target/cmc-ca-client-base-1.0.1.jar /app.jar
 ENTRYPOINT ["java","-jar","/app.jar"]
 
 # Main web port

diff --git a/Dockerfile-debug b/Dockerfile-debug
@@ -1,6 +1,6 @@
 FROM openjdk:11-jre
 
-ADD target/cmc-ca-client-base-1.0.1-SNAPSHOT.jar /app.jar
+ADD target/cmc-ca-client-base-1.0.1.jar /app.jar
 
 # This ENTRYPOINT enables attachement of a debugger on port 8000. This port is automtically exposed on the docker container.
 ENTRYPOINT ["java","-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000","-jar","/app.jar"]

diff --git a/Dockerfile-softhsm b/Dockerfile-softhsm
@@ -12,7 +12,7 @@ RUN apt-get update && apt-get install -y pcscd libccid libpcsclite-dev libssl-de
 # Setup softhsm
 RUN rm -rf /var/lib/softhsm/tokens && mkdir /var/lib/softhsm/tokens
 
-ADD target/cmc-ca-client-base-1.0.1-SNAPSHOT.jar /app.jar
+ADD target/cmc-ca-client-base-1.0.1.jar /app.jar
 COPY src/main/resources/cfg/start.sh /
 
 ENTRYPOINT /start.sh

diff --git a/pom.xml b/pom.xml
@@ -21,13 +21,13 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.6.3</version>
+        <version>2.6.5</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
 
     <groupId>se.swedenconnect.ca</groupId>
     <artifactId>cmc-ca-client-base</artifactId>
-    <version>1.0.1-SNAPSHOT</version>
+    <version>1.0.1</version>
 
     <name>CA CMC client base</name>
     <description>CA CMC Client base for administration of CA services</description>

diff --git a/src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java b/src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java
@@ -0,0 +1,19 @@
+package se.swedenconnect.ca.cmcclient.configuration;
+
+import org.springframework.core.annotation.Order;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.InitBinder;
+
+@ControllerAdvice
+@Order(10000)
+public class BinderControllerAdvice {
+  @InitBinder
+  public void setAllowedFields(WebDataBinder dataBinder) {
+    // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell").
+    // By applying this mitigation, you prevent the "Class Loader Manipulation" attack vector from firing.
+    // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/
+    String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
+    dataBinder.setDisallowedFields(denylist);
+  }
+}
diff --git a/src/main/resources/cfg/banner.txt b/src/main/resources/cfg/banner.txt
@@ -4,5 +4,5 @@
  | |___   / ___ \    \__ \ |  __/ | |     \ V /  | | | (__  |  __/   | |___  | |  | | | |___    | (__  | | | | |  __/ | | | | | |_
   \____| /_/   \_\   |___/  \___| |_|      \_/   |_|  \___|  \___|    \____| |_|  |_|  \____|    \___| |_| |_|  \___| |_| |_|  \__|
 
-1.0.1-SNAPSHOT
+1.0.1
 Powered by Spring Boot ${spring-boot.version}