MangoAutomation / ma-core-public

Mango Automation Core public code
Other
79 stars 50 forks source link

RAD-2735: Upgrade commons text from version 1.9 to 1.10.0 as vulnerab… #1834

Closed juancarlosgl closed 1 year ago

juancarlosgl commented 1 year ago

RAD-2735: Upgrade commons text from version 1.9 to 1.10.0 as vulnerability is fixed on this latest version. This ticket was created by depndabot job so this commons-text 1.9 contains vulnerabilities that are fixed on version 1.10.0.

juancarlosgl commented 1 year ago

Tests pass so unless you know of a test-case we should add for this then I'm fine with it.

If your application uses the Apache Commons Text version between 1.51.9 (both inclusive), then the attacker can make use of the vulnerability in StringSubstitutor class.

Here is the sample snippet which I created using the above docs page.

Below code snippet (using Apache Commons Text 1.9) leverages the StringSubstitutor and interpolation where it prints the encoding and decoding string information by executing it as a string input.

`// Apache Commons Text 1.9

package org.qainsights; import org.apache.commons.text.*;

public class Main { public static void main(String[] args) {

StringSubstitutor interp = StringSubstitutor.createInterpolator();

String str = "Base64 Decoder ${base64Decoder:UUFJbnNpZ2h0cw==}\nBase64 Encoder ${base64Encoder:QAInsights}";
String rep = interp.replace(str);

System.out.println(rep);

}

}`

It may not look like a vulnerability for normal eyes, but attackers can leverage the string inputs of dns, script, and url functions.

Here are the default interpolators which use the string lookups as above:

`final StringSubstitutor interpolator = StringSubstitutor.createInterpolator(); final String text = interpolator.replace( "Base64 Decoder: ${base64Decoder:SGVsbG9Xb3JsZCE=}\n"

Below are the extra lookups which are not included in Apache Commons Text 1.10:

"dns" dnsStringLookup() "url" urlStringLookup() "script" scriptStringLookup()

Let us execute the url string lookup in version 1.9.

`package org.qainsights; import org.apache.commons.text.*;

public class Main { public static void main(String[] args) {

StringSubstitutor interp = StringSubstitutor.createInterpolator();

String str = "${url:UTF-8:https://example.com}";
String rep = interp.replace(str);

System.out.println(rep);

}

}`

The above snippet will display the HTML output of https://example.com.

Now, let us upgrade the Apache Commons Text to 1.10.0. The above code will display the output below.

${url:UTF-8:https://example.com}

Basically, version 1.10.0 will not process the string lookups of dns, script, and url by DEFAULT.

If you still want to make use of the dns, script, and url lookups, you need to enable them explicitly. Here is the sample code:

`// Enabling dns lookup in Apache Commons Text 1.10.0

package org.qainsights; import org.apache.commons.text.*; import org.apache.commons.text.lookup.StringLookup; import org.apache.commons.text.lookup.StringLookupFactory;

import java.util.HashMap; import java.util.Map;

public class Main { public static void main(String[] args) {

Map<String, StringLookup> lookupMap = new HashMap<>();
lookupMap.put("dns", StringLookupFactory.INSTANCE.dnsStringLookup());

StringLookup variableResolver = StringLookupFactory.INSTANCE.interpolatorStringLookup(lookupMap, null, false);

System.out.println(new StringSubstitutor(variableResolver).replace("${dns:address|apache.org}"));

}

}`