XSS vulnerability during custom validation

Description

Through a security review we have discovered a problem related to vulnerability during validating field. To validating we created custom `ConstraintValidator` where is override isValid() method with custom validation. In case of not valid input, it returns `false` and create constrain validation with template:
`context.buildConstraintViolationWithTemplate(value + " not valid").addConstraintViolation() `
where `value` is the input from request.

Script executes in hibernate validator library that is added to project by spring boot validation. During processing input value in org.hibernate.validator.messageinterpolation.AbstractMessageInterpolator#interpolateMessage it searches for `{` and in constructor class org.hibernate.validator.internal.engine.messageinterpolation.InterpolationTerm#InterpolationTerm it is checking if input starts with `$`. In case it is it creates a ElExpression which is executed in org.hibernate.validator.internal.engine.messageinterpolation.ElTermResolver#interpolate.

In that case during validating input value:
${'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"ifconfig\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}
it executes script on server.

Environment

java 8, spring boot 2.3.9 that uses hibernate validation with version 6.1.7.

Activity

Show:
Guillaume Smet
4 days ago

This is an invalid usage of buildConstraintViolationWithTemplate(). You need to escape values when injecting user values there (similar to what you would do to avoid SQL injections).

See this paragraph in the 6.1 documentation: https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code .

Starting from 6.2, EL is disabled by default for custom violations (but this is a breaking change so it won't be backported to 6.1).

Assignee

Unassigned

Reporter

Dawid Beer

Labels

None

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Suitable for new contributors

None

Pull Request

None

backportDecision

None

backportReEvaluate

None

Components

Affects versions

Priority

Major