operaprestodriver icon indicating copy to clipboard operation
operaprestodriver copied to clipboard
verified publisher icon operasoftware

Expression Injection Vulnerability report

Open LQxdu opened this issue 1 year ago • 0 comments

Summary

OperaPrestoDriver utilizes the commons-jxpath library’s APIs to parse collection JXPath queries but lacks essential security configurations. The commons-jxpath library provides powerful expression parsing and evaluation capabilities, including the ability to access and invoke related methods. As a result, attackers can inject carefully crafted expressions to exploit these features, potentially invoking security-sensitive methods and executing arbitrary commands.

Vulnerable code

For example, in AbstractService.xpathIterator and AbstractService.xpathPointer methods.

public Pointer xpathPointer(Collection<?> collection, String query) {
    JXPathContext pathContext = JXPathContext.newContext(collection); // without disabling functions (e.g., setLenient(false)) or restricting access to Java classes.
    Pointer result = null;

    try {
      result = pathContext.getPointer(query); // sink
    } catch (JXPathNotFoundException e) {
      logger.warning(String.format("JXPath exception: %s", e.getMessage()));
    }

    return result;
  }

public Iterator<?> xpathIterator(Collection<?> collection, String query) {
    JXPathContext pathContext = JXPathContext.newContext(collection);
    Iterator<?> result = null;

    try {
      result = pathContext.iteratePointers(query);
    } catch (JXPathNotFoundException e) {
      logger.log(Level.WARNING, "JXPath exception: {0}", e.getMessage());
    }

    return result;
  }

Potential Attack Impact

Remote Code Execution.

Recommended Mitigation Measures (Refer to the patch for CVE-2024-36404: https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea)

public Pointer xpathPointer(Collection<?> collection, String query) {
    JXPathContext pathContext = JXPathContext.newContext(collection);
+  pathContext.setFunctions(new FunctionLibrary()); // Set empty function library to prevent calling functions
    Pointer result = null;

    try {
      result = pathContext.getPointer(query); 
    } catch (JXPathNotFoundException e) {
      logger.warning(String.format("JXPath exception: %s", e.getMessage()));
    }

    return result;
  }

LQxdu avatar Feb 12 '25 17:02 LQxdu