Expression Injection Vulnerability report #118
Description
Summary
OperaPrestoDriver utilizes the commons-jxpath library’s APIs to parse collection JXPath queries but lacks essential security configurations. The commons-jxpath library provides powerful expression parsing and evaluation capabilities, including the ability to access and invoke related methods. As a result, attackers can inject carefully crafted expressions to exploit these features, potentially invoking security-sensitive methods and executing arbitrary commands.
Vulnerable code
For example, in AbstractService.xpathIterator and AbstractService.xpathPointer methods.
public Pointer xpathPointer(Collection<?> collection, String query) {
JXPathContext pathContext = JXPathContext.newContext(collection); // without disabling functions (e.g., setLenient(false)) or restricting access to Java classes.
Pointer result = null;
try {
result = pathContext.getPointer(query); // sink
} catch (JXPathNotFoundException e) {
logger.warning(String.format("JXPath exception: %s", e.getMessage()));
}
return result;
}
public Iterator<?> xpathIterator(Collection<?> collection, String query) {
JXPathContext pathContext = JXPathContext.newContext(collection);
Iterator<?> result = null;
try {
result = pathContext.iteratePointers(query);
} catch (JXPathNotFoundException e) {
logger.log(Level.WARNING, "JXPath exception: {0}", e.getMessage());
}
return result;
}Potential Attack Impact
Remote Code Execution.
Recommended Mitigation Measures (Refer to the patch for CVE-2024-36404: geotools/geotools@f0c9961)
public Pointer xpathPointer(Collection<?> collection, String query) {
JXPathContext pathContext = JXPathContext.newContext(collection);
+ pathContext.setFunctions(new FunctionLibrary()); // Set empty function library to prevent calling functions
Pointer result = null;
try {
result = pathContext.getPointer(query);
} catch (JXPathNotFoundException e) {
logger.warning(String.format("JXPath exception: %s", e.getMessage()));
}
return result;
}