Crispy-fried-chicken opened a new issue, #16135: URL: https://github.com/apache/dubbo/issues/16135
### Pre-check - [x] I am sure that all the content I provide is in English. ### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dubbo/issues?q=is%3Aissue) and found no similar issues. ### Apache Dubbo Component Java SDK (apache/dubbo) ### Dubbo Version The newest version of dubbo ### Steps to reproduce this issue If a developer or a third-party extension defines an interface with a maliciously crafted @Adaptive annotation: ``` @SPI public interface MaliciousExtension { @Adaptive({"test\"); System.exit(0); //"}) void sayHello(URL url); } ``` Generated Java Code (Vulnerable): ``` // The generated adaptive class will contain: String extName = url.getParameter("test"); System.exit(0); //"); ``` When the sayHello method is called, the JVM will execute System.exit(0), leading to a Denial of Service (DoS) or potentially full Remote Code Execution (RCE) if a more complex payload is used. ### What you expected to happen Generated Java Code (Vulnerable): ``` // The generated adaptive class will contain: String extName = url.getParameter("test"); System.exit(0); //"); ``` When the sayHello method is called, the JVM will execute System.exit(0), leading to a Denial of Service (DoS) or potentially full Remote Code Execution (RCE) if a more complex payload is used. ### Anything else ### Description A critical Remote Code Injection (or Source Code Manipulation) vulnerability has been identified in the AdaptiveClassCodeGenerator class. The framework generates Java source code for adaptive extensions by embedding values from @Adaptive and @SPI annotations directly into string templates using String.format. Because these annotation values (specifically the value array and defaultExtName) are not escaped or neutralized before being inserted into Java string literals, an attacker who can influence these metadata values can break out of the string context and inject arbitrary Java code into the generated class. ### Vulnerability Analysis The vulnerability exists in the generateExtNameAssignment method. Consider the following code: ``` // Line 234 in AdaptiveClassCodeGenerator.java getNameCode = String.format("url.getParameter(\"%s\")", value[i]); ``` - Source: value[i] (derived from the @Adaptive annotation on a method). - Sink: String.format (used to construct the Java source code). - Mechanism: The value is placed inside double quotes ("%s"). If value[i] contains a double quote ("), an attacker can terminate the string literal and append malicious Java statements. - Execution: The generated source code is subsequently compiled (often via Javassist or JDK compiler) and executed within the JVM. ### Impact Critical: Allows for arbitrary code execution in the context of the Dubbo application. AOT/Native Image Risks: In GraalVM AOT scenarios (as seen in NativeClassSourceWriter), this could lead to the generation of compromised native binaries. ### Suggested Fix All strings being embedded into the Java source code must be properly escaped for Java string literals. It is recommended to use a utility like StringEscapeUtils from Apache Commons Text or implement a dedicated escaping mechanism. Proposed Mitigation: ``` // Using Apache Commons Text to sanitize the input import org.apache.commons.text.StringEscapeUtils; // ... inside generateExtNameAssignment String sanitizedValue = StringEscapeUtils.escapeJava(value[i]); getNameCode = String.format("url.getParameter(\"%s\")", sanitizedValue); ``` ### Do you have a (mini) reproduction demo? - [ ] Yes, I have a minimal reproduction demo to help resolve this issue more effectively! ### Are you willing to submit a pull request to fix on your own? - [ ] Yes I am willing to submit a pull request on my own! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
