Skip to content
This repository has been archived by the owner on Jun 11, 2024. It is now read-only.

Commit

Permalink
Fix Critical Java EL Injection RCE vulnerability from GHSL-2020-213
Browse files Browse the repository at this point in the history
  • Loading branch information
@kiturutin
kiturutin committed Dec 14, 2020
1 parent 07b4cbe commit 4b38e7a
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 9 deletions.
9 changes: 6 additions & 3 deletions ...up-proxy-rest/src/main/java/com/browserup/bup/rest/validation/LongPositiveConstraint.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import javax.validation.ConstraintValidatorContext;
import javax.validation.Payload;

import com.browserup.bup.rest.validation.util.MessageSanitizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down Expand Up @@ -41,12 +42,14 @@ public boolean isValid(String value, ConstraintValidatorContext context) {
longValue = Long.parseLong(value);
} catch (NumberFormatException ex) {
failed = true;
errorMessage = String.format("Invalid integer value: '%s'", value);
String escapedValue = MessageSanitizer.escape(value);
errorMessage = String.format("Invalid integer value: '%s'", escapedValue);
}

if (!failed && longValue < 0) {
failed = true;
errorMessage = String.format("Expected positive integer value, got: '%s'", value);
String escapedValue = MessageSanitizer.escape(value);
errorMessage = String.format("Expected positive integer value, got: '%s'", escapedValue);
}

if (!failed) {
Expand All @@ -59,4 +62,4 @@ public boolean isValid(String value, ConstraintValidatorContext context) {
return false;
}
}
}
}
7 changes: 5 additions & 2 deletions browserup-proxy-rest/src/main/java/com/browserup/bup/rest/validation/NotBlankConstraint.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import javax.validation.ConstraintValidatorContext;
import javax.validation.Payload;

import com.browserup.bup.rest.validation.util.MessageSanitizer;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand Down Expand Up @@ -36,11 +37,13 @@ public boolean isValid(Object value, ConstraintValidatorContext context) {
if (value != null && StringUtils.isNotEmpty(String.valueOf(value))) {
return true;
}
String errorMessage = String.format("Expected not empty value, got '%s'", value);

String escapedValue = MessageSanitizer.escape(value == null ? null : value.toString());
String errorMessage = String.format("Expected not empty value, got '%s'", escapedValue);
LOG.warn(errorMessage);

context.buildConstraintViolationWithTemplate(errorMessage).addConstraintViolation();
return false;
}
}
}
}
6 changes: 4 additions & 2 deletions browserup-proxy-rest/src/main/java/com/browserup/bup/rest/validation/PatternConstraint.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import javax.validation.ConstraintValidatorContext;
import javax.validation.Payload;

import com.browserup.bup.rest.validation.util.MessageSanitizer;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand Down Expand Up @@ -42,12 +43,13 @@ public boolean isValid(String value, ConstraintValidatorContext context) {
Pattern.compile(value);
return true;
} catch (Exception ex) {
String errorMessage = String.format("URL parameter '%s' is not a valid regexp", value);
String escapedValue = MessageSanitizer.escape(value);
String errorMessage = String.format("URL parameter '%s' is not a valid regexp", escapedValue);
LOG.warn(errorMessage);

context.buildConstraintViolationWithTemplate(errorMessage).addConstraintViolation();
}
return false;
}
}
}
}
6 changes: 4 additions & 2 deletions ...rest/src/main/java/com/browserup/bup/rest/validation/PortWithExistingProxyConstraint.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

import com.browserup.bup.proxy.ProxyManager;

import com.browserup.bup.rest.validation.util.MessageSanitizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down Expand Up @@ -47,11 +48,12 @@ public boolean isValid(Integer value, ConstraintValidatorContext context) {
return true;
}

String errorMessage = String.format("No proxy server found for specified port %d", value);
String escapedValue = MessageSanitizer.escape(value.toString());
String errorMessage = String.format("No proxy server found for specified port %s", escapedValue);
LOG.warn(errorMessage);

context.buildConstraintViolationWithTemplate(errorMessage).addPropertyNode(PARAM_NAME).addConstraintViolation();
return false;
}
}
}
}
33 changes: 33 additions & 0 deletions ...rup-proxy-rest/src/main/java/com/browserup/bup/rest/validation/util/MessageSanitizer.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package com.browserup.bup.rest.validation.util;
/*
* Modifications Copyright (c) 2019 BrowserUp, Inc.
* Original from:
* https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java
*/
/*
* License: Apache License, Version 2.0
* See the license file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
*/

import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class MessageSanitizer {

public static final char BEGIN_CHAR = '{';
public static final char END_CHAR = '}';
public static final char EL_DESIGNATOR = '$';
public static final char ESCAPE_CHARACTER = '\\';

private static final Pattern ESCAPE_PATTERN = Pattern.compile( "([\\" + ESCAPE_CHARACTER + BEGIN_CHAR + END_CHAR + EL_DESIGNATOR + "])" );

private MessageSanitizer() {
}

public static String escape(String message) {
if ( message == null ) {
return null;
}
return ESCAPE_PATTERN.matcher( message ).replaceAll( Matcher.quoteReplacement( String.valueOf( ESCAPE_CHARACTER ) ) + "$1" );
}
}

0 comments on commit 4b38e7a

Please sign in to comment.