Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jorgectf/spring-cloud-function-spel


https://github.com/jorgectf/spring-cloud-function-spel

Last synced: about 2 months ago
JSON representation

Awesome Lists containing this project

README

        

# Spring Cloud Function - SpEL Injection (CVE-2022-22963)

```
cd spring-cloud-function-samples/function-sample-pojo && mvn clean package -DskipTests && java -jar target/function-sample-pojo-2.0.0.RELEASE.jar
```

```
codeql database create spring-cloud-function-3.2.X-DB -l java -j0 --search-path /path/to/codeql -c "./mvnw compile -P all -DskipTests -Dos.arch=x86_64"
```

Fix commit: https://github.com/spring-cloud/spring-cloud-function/commit/dc5128b80c6c04232a081458f637c81a64fa9b52

### Research

* https://mp.weixin.qq.com/s/ssHcLC72wZqzt-ei_ZoLwg
* https://hosch3n.github.io/2022/03/26/SpringCloudFunction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/
* https://mp.weixin.qq.com/s/U7YJ3FttuWSOgCodVSqemg
* https://github.com/lunasec-io/lunasec/blob/master/docs/blog/2022-03-30-spring-core-rce.mdx#cve-2022-22963

### POCs

* https://github.com/hktalent/spring-spel-0day-poc
* https://github.com/RanDengShiFu/CVE-2022-22963

### CodeQL quick&dirty Source

Add to `java/ql/lib/Customizations.qll`

```codeql
private import semmle.code.java.dataflow.FlowSources

class SpringMessage extends DataFlow::Node, RemoteFlowSource {
SpringMessage() {
this.asExpr() =
any(MethodAccess m |
m.getMethod()
.hasQualifiedName("org.springframework.messaging",
any(string s | s.matches("Message%")), "get")
)
}

override string getSourceType() { result = "org.springframework.messaging.Message" }
}
```