aboutsummaryrefslogtreecommitdiff
path: root/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt
diff options
context:
space:
mode:
Diffstat (limited to 'sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt')
-rw-r--r--sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt17
1 files changed, 13 insertions, 4 deletions
diff --git a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt
index 1dc1d5f0..a60c088e 100644
--- a/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt
+++ b/sanitizers/src/main/java/com/code_intelligence/jazzer/sanitizers/ExpressionLanguageInjection.kt
@@ -31,7 +31,13 @@ object ExpressionLanguageInjection {
* Try to call the default constructor of the honeypot class.
*/
private const val EXPRESSION_LANGUAGE_ATTACK =
- "\${\"\".getClass().forName(\"$HONEYPOT_CLASS_NAME\").newInstance()}"
+ "\${Byte.class.forName(\"$HONEYPOT_CLASS_NAME\").getMethod(\"el\").invoke(null)}"
+
+ init {
+ require(EXPRESSION_LANGUAGE_ATTACK.length <= 64) {
+ "Expression language exploit must fit in a table of recent compares entry (64 bytes)"
+ }
+ }
@MethodHooks(
MethodHook(
@@ -60,8 +66,10 @@ object ExpressionLanguageInjection {
method: MethodHandle?,
thisObject: Any?,
arguments: Array<Any>,
- hookId: Int
+ hookId: Int,
) {
+ // The overloads taking a second string argument have either three or four arguments
+ if (arguments.size < 3) { return }
val expression = arguments[1] as? String ?: return
Jazzer.guideTowardsContainment(expression, EXPRESSION_LANGUAGE_ATTACK, hookId)
}
@@ -76,15 +84,16 @@ object ExpressionLanguageInjection {
@MethodHook(
type = HookType.BEFORE,
targetClassName = "javax.validation.ConstraintValidatorContext",
- targetMethod = "buildConstraintViolationWithTemplate"
+ targetMethod = "buildConstraintViolationWithTemplate",
)
@JvmStatic
fun hookBuildConstraintViolationWithTemplate(
method: MethodHandle?,
thisObject: Any?,
arguments: Array<Any>,
- hookId: Int
+ hookId: Int,
) {
+ if (arguments.size != 1) { return }
val message = arguments[0] as String
Jazzer.guideTowardsContainment(message, EXPRESSION_LANGUAGE_ATTACK, hookId)
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-29 10:04:08 +0000