From 1390e3c1844eda6c2389eb117203ec51ad2c3b2f Mon Sep 17 00:00:00 2001 From: Stefan Santesson Date: Thu, 31 Mar 2022 13:49:08 +0200 Subject: [PATCH] spring rce mitigation --- Dockerfile | 2 +- Dockerfile-debug | 2 +- Dockerfile-softhsm | 2 +- pom.xml | 4 ++-- .../configuration/BinderControllerAdvice.java | 19 +++++++++++++++++++ src/main/resources/cfg/banner.txt | 2 +- 6 files changed, 25 insertions(+), 6 deletions(-) create mode 100644 src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java diff --git a/Dockerfile b/Dockerfile index 19e045c..a435587 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM openjdk:11-jre -ADD target/cmc-ca-client-base-1.0.1-SNAPSHOT.jar /app.jar +ADD target/cmc-ca-client-base-1.0.1.jar /app.jar ENTRYPOINT ["java","-jar","/app.jar"] # Main web port diff --git a/Dockerfile-debug b/Dockerfile-debug index de1196a..f7256fa 100644 --- a/Dockerfile-debug +++ b/Dockerfile-debug @@ -1,6 +1,6 @@ FROM openjdk:11-jre -ADD target/cmc-ca-client-base-1.0.1-SNAPSHOT.jar /app.jar +ADD target/cmc-ca-client-base-1.0.1.jar /app.jar # This ENTRYPOINT enables attachement of a debugger on port 8000. This port is automtically exposed on the docker container. ENTRYPOINT ["java","-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000","-jar","/app.jar"] diff --git a/Dockerfile-softhsm b/Dockerfile-softhsm index 5c7300e..c7719c0 100644 --- a/Dockerfile-softhsm +++ b/Dockerfile-softhsm @@ -12,7 +12,7 @@ RUN apt-get update && apt-get install -y pcscd libccid libpcsclite-dev libssl-de # Setup softhsm RUN rm -rf /var/lib/softhsm/tokens && mkdir /var/lib/softhsm/tokens -ADD target/cmc-ca-client-base-1.0.1-SNAPSHOT.jar /app.jar +ADD target/cmc-ca-client-base-1.0.1.jar /app.jar COPY src/main/resources/cfg/start.sh / ENTRYPOINT /start.sh diff --git a/pom.xml b/pom.xml index 57d9ac6..2189a8a 100644 --- a/pom.xml +++ b/pom.xml @@ -21,13 +21,13 @@ org.springframework.boot spring-boot-starter-parent - 2.6.3 + 2.6.5 se.swedenconnect.ca cmc-ca-client-base - 1.0.1-SNAPSHOT + 1.0.1 CA CMC client base CA CMC Client base for administration of CA services diff --git a/src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java b/src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java new file mode 100644 index 0000000..d5791cd --- /dev/null +++ b/src/main/java/se/swedenconnect/ca/cmcclient/configuration/BinderControllerAdvice.java @@ -0,0 +1,19 @@ +package se.swedenconnect.ca.cmcclient.configuration; + +import org.springframework.core.annotation.Order; +import org.springframework.web.bind.WebDataBinder; +import org.springframework.web.bind.annotation.ControllerAdvice; +import org.springframework.web.bind.annotation.InitBinder; + +@ControllerAdvice +@Order(10000) +public class BinderControllerAdvice { + @InitBinder + public void setAllowedFields(WebDataBinder dataBinder) { + // This code protects Spring Core from a "Remote Code Execution" attack (dubbed "Spring4Shell"). + // By applying this mitigation, you prevent the "Class Loader Manipulation" attack vector from firing. + // For more details, see this post: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/ + String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"}; + dataBinder.setDisallowedFields(denylist); + } +} \ No newline at end of file diff --git a/src/main/resources/cfg/banner.txt b/src/main/resources/cfg/banner.txt index 831543b..a9cd2fb 100644 --- a/src/main/resources/cfg/banner.txt +++ b/src/main/resources/cfg/banner.txt @@ -4,5 +4,5 @@ | |___ / ___ \ \__ \ | __/ | | \ V / | | | (__ | __/ | |___ | | | | | |___ | (__ | | | | | __/ | | | | | |_ \____| /_/ \_\ |___/ \___| |_| \_/ |_| \___| \___| \____| |_| |_| \____| \___| |_| |_| \___| |_| |_| \__| -1.0.1-SNAPSHOT +1.0.1 Powered by Spring Boot ${spring-boot.version} \ No newline at end of file