HV-1774 Test arbitrary code injection through buildConstraintViolationWithTemplate()

yrodiere · gsmet · commit 438a0fc9bd7e · 2020-05-06T15:08:22.000+02:00
diff --git a/engine/src/test/java/org/hibernate/validator/test/constraints/ConstraintValidatorContextTest.java b/engine/src/test/java/org/hibernate/validator/test/constraints/ConstraintValidatorContextTest.java
@@ -208,6 +208,20 @@ public void testAddParameterNodeForFieldLevelConstraintCausesException() throws
 		}
 	}
 
+	@Test
+	public void testInjectionCausedByRecklessConcatenation() {
+		String maliciousPayload = "$\\A{1 + 1}";
+
+		// Simulate user entry, through a web form for example
+		MyObjectWithELInjectionRiskCausedByRecklessConcatenation object = new MyObjectWithELInjectionRiskCausedByRecklessConcatenation();
+		object.field1 = maliciousPayload;
+		Set<ConstraintViolation<MyObjectWithELInjectionRiskCausedByRecklessConcatenation>> constraintViolations = validator.validate( object );
+		assertThat( constraintViolations ).containsOnlyViolations(
+				violationOf( ValidationWithELInjectionRiskCausedByRecklessConcatenation.class )
+						.withMessage( "Value '" + maliciousPayload + "' is invalid" )
+		);
+	}
+
 	@MyClassLevelValidation
 	private static class MyObject {
 		@NotNull
@@ -278,6 +292,13 @@ public String getName() {
 		}
 	}
 
+	@ValidationWithELInjectionRiskCausedByRecklessConcatenation
+	private static class MyObjectWithELInjectionRiskCausedByRecklessConcatenation {
+
+		String field1;
+
+	}
+
 	@Retention(RUNTIME)
 	@Constraint(validatedBy = MyClassLevelValidation.Validator.class)
 	public @interface MyClassLevelValidation {
@@ -486,4 +507,34 @@ public boolean isValid(String value, ConstraintValidatorContext context) {
 			}
 		}
 	}
+
+	@Retention(RUNTIME)
+	@Constraint(validatedBy = ValidationWithELInjectionRiskCausedByRecklessConcatenation.Validator.class)
+	public @interface ValidationWithELInjectionRiskCausedByRecklessConcatenation {
+		String message() default "failed";
+
+		Class<?>[] groups() default { };
+
+		Class<? extends Payload>[] payload() default { };
+
+		class Validator
+				implements ConstraintValidator<ValidationWithELInjectionRiskCausedByRecklessConcatenation, MyObjectWithELInjectionRiskCausedByRecklessConcatenation> {
+
+			@Override
+			public boolean isValid(MyObjectWithELInjectionRiskCausedByRecklessConcatenation value, ConstraintValidatorContext context) {
+				context.disableDefaultConstraintViolation();
+
+				// This is bad practice: message parameters should be used instead.
+				// Regardless, it can happen and should work as well as possible.
+				context.buildConstraintViolationWithTemplate( "Value '" + escape( value.field1 ) + "' is invalid" )
+						.addConstraintViolation();
+
+				return false;
+			}
+
+			private String escape(String value) {
+				return value.replaceAll( "\\$+\\{", "{" );
+			}
+		}
+	}
 }
