SpEL Expression Injection Vulnerability in Data Schema Page

[crumbledwall]

Description

DataGear is an open-source and free data visualization analysis platform that allows you to freely create any kind of data dashboard you want, supporting access to multiple data sources such as SQL, CSV, Excel, HTTP interface, JSON, etc.

DataGear v5.0.0 has a SpEL expression injection vulnerability leading to remote code execution.

Unsafe Code

The org.datagear.persistence.support.ConversionSqlParamValueMapper#evaluateVariableExpression function parses SpEL expression directly without any filter, and the expression parameter is controllable, leading to SpEL expression injection.

protected Object evaluateVariableExpression(Connection cn, Table table, Column column, String value,
		NameExpression expression, ExpressionEvaluationContext expressionEvaluationContext,
		List<Object> expressionValues) throws Throwable
{
	// ......
	try
	{
		spelExpression = this.spelExpressionParser.parseExpression(expression.getContent());
	}
	catch (Throwable t)
	{
		// ......
	}

	try
	{
		expValue = spelExpression.getValue(expressionEvaluationContext.getVariableExpressionBean());
	}
	catch (Throwable t)
	{
		// ......
	}

        // ......
	return expValue;
}

Steps to Reproduce

When request the /data/{schemaId}/{tableName}/view interface, if the database table doesn't have a primary key, an attacker can inject a malicious SpEL expression into the data field, and when the "view" button is clicked, the SpEL expression will be executed.

The evil SpEL expression can be like this

#{T(java.lang.String).forName('java.lang.Runtime').getRuntime().exec('calc')}

Versions

datagear version: v5.0.0

Reporter

@crumbledwall

[datageartech]

Fixed in the latest version 5.1.0