...
An attacker can enter a specially crafted argument in an attempt to inject malicious JavaScript. This example shows a malicious string that contains JavaScript code that can create a file or overwrite an existing file on a vulnerable system.
...
The script in this example prints "dummy" and then writes "some text" to a configuration file called config.cfg. An actual exploit can execute arbitrary code.
...
| Code Block | ||
|---|---|---|
| ||
private static void evalScript(String firstName) throws ScriptException {
// Allow only alphanumeric and underscore chars in firstnamefirstName
// (modify if firstName may also include special characters)
if (!firstName.matches("[\\w]*")) {
// String does not match whitelisted characters
throw new IllegalArgumentException();
}
ScriptEngineManager manager = new ScriptEngineManager();
ScriptEngine engine = manager.getEngineByName("javascript");
engine.eval("print('"+ firstName + "')");
} |
...
| Code Block | ||
|---|---|---|
| ||
class ACC {
private static class RestrictedAccessControlContext {
private static final AccessControlContext INSTANCE;
static {
INSTANCE = new AccessControlContext(
new ProtectionDomain[] {
new ProtectionDomain(null, null) // No permissions
});
}
}
private static void evalScript(final String firstName)
throws ScriptException {
ScriptEngineManager manager = new ScriptEngineManager();
final ScriptEngine engine = manager.getEngineByName("javascript");
// Restrict permission using the two-argument form of doPrivileged()
try {
AccessController.doPrivileged(
new PrivilegedExceptionAction<Object>() {
public Object run() throws ScriptException {
engine.eval("print('" + firstName + "')");
return null;
}
}, RestrictedAccessControlContext.INSTANCE);
// From nested class
RestrictedAccessControlContext.INSTANCE);
} catch (PrivilegedActionException pae) {
// Handle error
}
}
}
|
...