Merge pull request #87 from DaspawnW/bugfix/close-vulns

Close vulnerabilities
DaspawnW · Mar 31, 2022 · b2abf00 · b2abf00
2 parents 6d0c019 + 355d0bd
commit b2abf00
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 2 deletions.
diff --git a/pom.xml b/pom.xml
@@ -14,7 +14,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.5.6</version>
+		<version>2.5.11</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 
@@ -65,7 +65,7 @@
 		<dependency>
 			<groupId>com.hubspot.jinjava</groupId>
 			<artifactId>jinjava</artifactId>
-			<version>2.5.2</version>
+			<version>2.5.4</version>
 		</dependency>
 
 		<dependency>

diff --git a/src/main/java/de/koudingspawn/vault/config/GlobalControllerAdvice.java b/src/main/java/de/koudingspawn/vault/config/GlobalControllerAdvice.java
@@ -0,0 +1,19 @@
+package de.koudingspawn.vault.config;
+
+import org.springframework.core.annotation.Order;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.InitBinder;
+
+// https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
+@ControllerAdvice
+@Order(10000)
+public class GlobalControllerAdvice {
+
+    @InitBinder
+    public void setAllowedFields(WebDataBinder dataBinder) {
+        String[] abd = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
+        dataBinder.setDisallowedFields(abd);
+    }
+
+}
diff --git a/src/test/java/de/koudingspawn/vault/PropertiesTest.java b/src/test/java/de/koudingspawn/vault/PropertiesTest.java
@@ -103,6 +103,7 @@ public void shouldRenderPropertiesFile() throws IOException {
         assertTrue(renderedProperties.contains("test=kv1content"));
         assertTrue(renderedProperties.contains("test2=kv2content"));
         assertTrue(renderedProperties.contains("test3=contextvalue"));
+        assertTrue(renderedProperties.contains("spring.jpa.properties.hibernate.dialect=class.module.classLoader.resources.context.parent.pipeline.first"));
     }
 
     @Test(expected = SecretNotAccessibleException.class)

diff --git a/src/test/resources/test.properties b/src/test/resources/test.properties
@@ -5,3 +5,6 @@ test2={{ vault.lookupV2('kv2/key').get('value') }}
 test3={{ contextkey }}
 
 test4={{ vault.lookupV2('kv2/key', 'value2') }}
+
+# remidiation test spring4shell
+spring.jpa.properties.hibernate.dialect=class.module.classLoader.resources.context.parent.pipeline.first