MyBatis Invocation should not invoke arbitrary method - 玖涯软件开发|java/go/python

If an application developer passes non-sanitized string to OGNL or similar technologies (which you should never do), an attacker can use org.apache.ibatis.plugin.Invocation in the app's classpath to execute arbitrary code (RCE).

Comment From: harawata

This seems like a mistake or spam. Closing.

Comment From: springkill

I would like to know if I want to report this vulnerability, which email address should I provide the information to? @harawata

Comment From: harawata

@springkill ,

Before I let you know my email address, let me check a few things.

For JDK's deserialization vulnerability, you should use JEP-290 filter. See #2079 .

I have received a report about RCE when using SQL provider. But the reporter used a user input string directly in the SQL returned from a provider, so it was not a MyBatis vulnerability. Is this not the case you are reporting?

Comment From: springkill

@harawata , The issue I found is not a deserialisation vulnerability, it works on JDK8u402 and applies to the latest version of mybatis3.

Comment From: harawata

Okay, send it to my Gmail. The account name is the same as GitHub's.

Comment From: wuwen5

@harawata Because I have extended the interception support for ResultSet, it has currently failed. Can we add ResultSet type support or support whitelist type configuration ?

@Intercepts({@Signature(type = ResultSet.class, method = "next", args = {}),
        @Signature(type = ResultSet.class, method = "close", args = {})})
@Slf4j
public class MoreRowCheckInterceptor implements Interceptor {
}

public class StatementProxy implements InvocationHandler {
  ...
   public Object invoke(Object proxy, Method method, Object[] params) throws Throwable {
        try {
            if (EXECUTE_QUERY.equals(method.getName()) || GET_RESULT_SET.equals(method.getName())) {
                final ResultSet rs = (ResultSet) method.invoke(statement, params);
                return rs == null ? null : interceptorChain.pluginAll(rs);
            } else {
                return method.invoke(statement, params);
            }
        } catch (Throwable t) {
            throw ExceptionUtil.unwrapThrowable(t);
        }
    }
  ....
}

Comment From: harawata

@wuwen5 ,

MyBatis' interceptor does not (and will not) intercepts JDBC API methods. If you have to intercept them, you need to use another technique.