EL Injection in PartialViewContext

[mwulftange]

There are multiple instance in the PartialViewContext.processAjaxExecutePhase(FacesContext) method where user supplied input is used as (part of) the expression of a MethodExpression:

• request parameter _of_action (local variable action) is used in lines 546–556:

        if (action != null) {
            MethodExpression methodBinding;
            if (!action.startsWith("#{")){
                methodBinding = context.getApplication().getExpressionFactory().createMethodExpression(
                        elContext, "#{" + action + "}", String.class, new Class[]{});
            }else{
                methodBinding = context.getApplication().getExpressionFactory().createMethodExpression(
                        elContext, action, String.class, new Class[]{});
            }
            methodBinding.invoke(elContext, null);
        }

• request parameter _of_actionListener (local variable listener) is used in lines 557–585:

        if (listener != null) {
            AjaxActionEvent event = new AjaxActionEvent(component, new Behavior() {
                public void broadcast(BehaviorEvent event) {
                    throw new UnsupportedOperationException("This method is not expected to be invoked.");
                }
            });
            event.setPhaseId(Boolean.valueOf(requestParams.get(PARAM_IMMEDIATE)) ? PhaseId.APPLY_REQUEST_VALUES : PhaseId.INVOKE_APPLICATION);
            MethodExpression methodExpression = context.getApplication().getExpressionFactory().createMethodExpression(
                    elContext, "#{" + listener + "}", void.class, new Class[]{AjaxBehaviorEvent.class});
            try {
                methodExpression.getMethodInfo(elContext);
            } catch (MethodNotFoundException e1) {
                // both actionEvent and AjaxActionEvent parameter declarations are allowed
                methodExpression = context.getApplication().getExpressionFactory().createMethodExpression(
                        elContext, "#{" + listener + "}", void.class, new Class[]{AjaxActionEvent.class});
                try {
                    methodExpression.getMethodInfo(elContext);
                } catch (MethodNotFoundException e2) {
                    Log.log("Couldn't find Ajax action handler method. Method expression: #{" + listener + "} . " +
                            "Note, the appropriate method should receive one parameter of either javax.faces.event.AjaxBehaviorEvent or " +
                            "org.openfaces.event.AjaxActionEvent type.", e2);
                    throw e2;
                }
            }
            methodExpression.invoke(elContext, new Object[]{event});
            Object listenerResult = event.getAjaxResult();
            if (listenerResult != null)
                result = listenerResult;
        }

Arbitrary EL evaluation can result in the execution of arbitrary code on the application server.

[artem-smotrakov]

The issue exists in the 2.x branch as well, see UtilPhaseListener.processAjaxExecutePhase() method:

https://github.com/TeamDev-Archive/OpenFaces/blob/18d76a2514bad5f77905d22201ebf793eeac1f09/openFaces/source/org/openfaces/util/UtilPhaseListener.java#L237-L255