From 355d0bd336ed3ad53941545062748e5f44e425fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Wenzel?= Date: Thu, 31 Mar 2022 12:48:20 +0200 Subject: [PATCH] close jinja vulnerability Close cve-2022-22950 remediate rce in spring core --- pom.xml | 4 ++-- .../vault/config/GlobalControllerAdvice.java | 19 +++++++++++++++++++ .../de/koudingspawn/vault/PropertiesTest.java | 1 + src/test/resources/test.properties | 3 +++ 4 files changed, 25 insertions(+), 2 deletions(-) create mode 100644 src/main/java/de/koudingspawn/vault/config/GlobalControllerAdvice.java diff --git a/pom.xml b/pom.xml index 37b472c..ab506b8 100644 --- a/pom.xml +++ b/pom.xml @@ -14,7 +14,7 @@ org.springframework.boot spring-boot-starter-parent - 2.5.6 + 2.5.11 @@ -65,7 +65,7 @@ com.hubspot.jinjava jinjava - 2.5.2 + 2.5.4 diff --git a/src/main/java/de/koudingspawn/vault/config/GlobalControllerAdvice.java b/src/main/java/de/koudingspawn/vault/config/GlobalControllerAdvice.java new file mode 100644 index 0000000..94e339d --- /dev/null +++ b/src/main/java/de/koudingspawn/vault/config/GlobalControllerAdvice.java @@ -0,0 +1,19 @@ +package de.koudingspawn.vault.config; + +import org.springframework.core.annotation.Order; +import org.springframework.web.bind.WebDataBinder; +import org.springframework.web.bind.annotation.ControllerAdvice; +import org.springframework.web.bind.annotation.InitBinder; + +// https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html +@ControllerAdvice +@Order(10000) +public class GlobalControllerAdvice { + + @InitBinder + public void setAllowedFields(WebDataBinder dataBinder) { + String[] abd = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"}; + dataBinder.setDisallowedFields(abd); + } + +} \ No newline at end of file diff --git a/src/test/java/de/koudingspawn/vault/PropertiesTest.java b/src/test/java/de/koudingspawn/vault/PropertiesTest.java index e46e60d..3e8284b 100644 --- a/src/test/java/de/koudingspawn/vault/PropertiesTest.java +++ b/src/test/java/de/koudingspawn/vault/PropertiesTest.java @@ -103,6 +103,7 @@ public void shouldRenderPropertiesFile() throws IOException { assertTrue(renderedProperties.contains("test=kv1content")); assertTrue(renderedProperties.contains("test2=kv2content")); assertTrue(renderedProperties.contains("test3=contextvalue")); + assertTrue(renderedProperties.contains("spring.jpa.properties.hibernate.dialect=class.module.classLoader.resources.context.parent.pipeline.first")); } @Test(expected = SecretNotAccessibleException.class) diff --git a/src/test/resources/test.properties b/src/test/resources/test.properties index 1193bde..a8b9c0c 100644 --- a/src/test/resources/test.properties +++ b/src/test/resources/test.properties @@ -5,3 +5,6 @@ test2={{ vault.lookupV2('kv2/key').get('value') }} test3={{ contextkey }} test4={{ vault.lookupV2('kv2/key', 'value2') }} + +# remidiation test spring4shell +spring.jpa.properties.hibernate.dialect=class.module.classLoader.resources.context.parent.pipeline.first \ No newline at end of file