XSS vulnerability during custom validation


Through a security review we have discovered a problem related to vulnerability during validating field. To validating we created custom `ConstraintValidator` where is override isValid() method with custom validation. In case of not valid input, it returns `false` and create constrain validation with template:
`context.buildConstraintViolationWithTemplate(value + " not valid").addConstraintViolation() `
where `value` is the input from request.

Script executes in hibernate validator library that is added to project by spring boot validation. During processing input value in org.hibernate.validator.messageinterpolation.AbstractMessageInterpolator#interpolateMessage it searches for `{` and in constructor class org.hibernate.validator.internal.engine.messageinterpolation.InterpolationTerm#InterpolationTerm it is checking if input starts with `$`. In case it is it creates a ElExpression which is executed in org.hibernate.validator.internal.engine.messageinterpolation.ElTermResolver#interpolate.

In that case during validating input value:
${'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"ifconfig\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}
it executes script on server.


java 8, spring boot 2.3.9 that uses hibernate validation with version 6.1.7.


Guillaume Smet
February 23, 2021, 1:29 PM

This is an invalid usage of buildConstraintViolationWithTemplate(). You need to escape values when injecting user values there (similar to what you would do to avoid SQL injections).

See this paragraph in the 6.1 documentation: https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#_the_code_constraintvalidatorcontext_code .

Starting from 6.2, EL is disabled by default for custom violations (but this is a breaking change so it won't be backported to 6.1).




Dawid Beer