juancarlosgl
commented
1 year ago Tests pass so unless you know of a test-case we should add for this then I'm fine with it.
If your application uses the Apache Commons Text version between 1.5 – 1.9 (both inclusive), then the attacker can make use of the vulnerability in StringSubstitutor class.
Here is the sample snippet which I created using the above docs page.
Below code snippet (using Apache Commons Text 1.9) leverages the StringSubstitutor and interpolation where it prints the encoding and decoding string information by executing it as a string input.
`// Apache Commons Text 1.9
package org.qainsights; import org.apache.commons.text.*;
public class Main { public static void main(String[] args) {
StringSubstitutor interp = StringSubstitutor.createInterpolator();
String str = "Base64 Decoder ${base64Decoder:UUFJbnNpZ2h0cw==}\nBase64 Encoder ${base64Encoder:QAInsights}";
String rep = interp.replace(str);
System.out.println(rep);
}}`
It may not look like a vulnerability for normal eyes, but attackers can leverage the string inputs of dns, script, and url functions.
Here are the default interpolators which use the string lookups as above:
`final StringSubstitutor interpolator = StringSubstitutor.createInterpolator(); final String text = interpolator.replace( "Base64 Decoder: ${base64Decoder:SGVsbG9Xb3JsZCE=}\n"
- "Base64 Encoder: ${base64Encoder:HelloWorld!}\n"
- "Java Constant: ${const:java.awt.event.KeyEvent.VK_ESCAPE}\n"
- "Date: ${date:yyyy-MM-dd}\n"
- "Environment Variable: ${env:USERNAME}\n"
- "File Content: ${file:UTF-8:src/test/resources/document.properties}\n"
- "Java: ${java:version}\n"
- "Localhost: ${localhost:canonical-name}\n"
- "Properties File: ${properties:src/test/resources/document.properties::mykey}\n"
- "Resource Bundle: ${resourceBundle:org.apache.commons.text.example.testResourceBundleLookup:mykey}\n"
- "System Property: ${sys:user.dir}\n"
- "URL Decoder: ${urlDecoder:Hello%20World%21}\n"
- "URL Encoder: ${urlEncoder:Hello World!}\n"
- "XML XPath: ${xml:src/test/resources/document.xml:/root/path/to/node}\n");`
Below are the extra lookups which are not included in Apache Commons Text 1.10:
"dns" dnsStringLookup() "url" urlStringLookup() "script" scriptStringLookup()
Let us execute the url string lookup in version 1.9.
`package org.qainsights; import org.apache.commons.text.*;
public class Main { public static void main(String[] args) {
StringSubstitutor interp = StringSubstitutor.createInterpolator();
String str = "${url:UTF-8:https://example.com}";
String rep = interp.replace(str);
System.out.println(rep);
}}`
The above snippet will display the HTML output of https://example.com.
Now, let us upgrade the Apache Commons Text to 1.10.0. The above code will display the output below.
${url:UTF-8:https://example.com}
Basically, version 1.10.0 will not process the string lookups of dns, script, and url by DEFAULT.
If you still want to make use of the dns, script, and url lookups, you need to enable them explicitly. Here is the sample code:
`// Enabling dns lookup in Apache Commons Text 1.10.0
package org.qainsights; import org.apache.commons.text.*; import org.apache.commons.text.lookup.StringLookup; import org.apache.commons.text.lookup.StringLookupFactory;
import java.util.HashMap; import java.util.Map;
public class Main { public static void main(String[] args) {
Map<String, StringLookup> lookupMap = new HashMap<>();
lookupMap.put("dns", StringLookupFactory.INSTANCE.dnsStringLookup());
StringLookup variableResolver = StringLookupFactory.INSTANCE.interpolatorStringLookup(lookupMap, null, false);
System.out.println(new StringSubstitutor(variableResolver).replace("${dns:address|apache.org}"));
}}`
RAD-2735: Upgrade commons text from version 1.9 to 1.10.0 as vulnerability is fixed on this latest version. This ticket was created by depndabot job so this commons-text 1.9 contains vulnerabilities that are fixed on version 1.10.0.