SeanPesce
diff --git a/‎.gitignore
Lines changed: 18 additions & 0 deletions b/‎.gitignore
Lines changed: 18 additions & 0 deletions
diff --git a/‎Dockerfile
Lines changed: 1 addition & 0 deletions b/‎Dockerfile
Lines changed: 1 addition & 0 deletions
diff --git a/‎Dockerfile.openjdk
Lines changed: 26 additions & 0 deletions b/‎Dockerfile.openjdk
Lines changed: 26 additions & 0 deletions
diff --git a/‎Dockerfile.oracle
Lines changed: 107 additions & 0 deletions b/‎Dockerfile.oracle
Lines changed: 107 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 126 additions & 0 deletions b/‎README.md
Lines changed: 126 additions & 0 deletions
diff --git a/‎pom.xml
Lines changed: 62 additions & 0 deletions b/‎pom.xml
Lines changed: 62 additions & 0 deletions
@@ -0,0 +1,18 @@
+# https://github.com/github/gitignore/blob/main/Maven.gitignore
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+# https://github.com/takari/maven-wrapper#usage-without-binary-jar
+.mvn/wrapper/maven-wrapper.jar
+
+# Eclipse m2e generated files
+# Eclipse Core
+.project
+# JDT-specific (Eclipse Java Development Tools)
+.classpath
@@ -0,0 +1 @@
+Dockerfile.openjdk
@@ -0,0 +1,26 @@
+# Author: Sean Pesce
+
+ARG JAVA_VERSION=17
+FROM openjdk:${JAVA_VERSION}-jdk-alpine
+
+# Install Maven
+RUN apk add --no-cache maven  # Alpine
+# RUN apt-get update && apt-get install -y maven  # Debian
+# RUN yum install maven  # Fedora
+# RUN dnf install -y maven  # Oracle Linux
+
+WORKDIR /
+
+# Copy project files to the container
+COPY . .
+
+# Build web app with Maven
+RUN mvn clean package
+
+# Environment variable to indicate whether the server is running on Oracle Java or OpenJDK
+ENV JAVA_TYPE=OpenJDK
+
+# TCP port that the vulnerable web app will listen on
+ENV PORT=9999
+
+CMD java -jar target/spring-cve-2024-22243-0.1.0.jar ${PORT}
@@ -0,0 +1,107 @@
+# Edited by Sean Pesce from original source:
+# https://github.com/oracle/docker-images/blob/4c60fd894234f6252f44b65ed6556b63523224d7/OracleJava/17/Dockerfile
+
+# Copyright (c) 2020, 2022 Oracle and/or its affiliates.
+#
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+#
+# ORACLE DOCKERFILES PROJECT
+# --------------------------
+# This is the Dockerfile for Oracle JDK 17 on Oracle Linux 8
+#
+# REQUIRED FILES TO BUILD THIS IMAGE
+# ----------------------------------
+# This dockerfile will download a copy of JDK 17 from
+#	https://download.oracle.com/java/17/latest/jdk-17_linux-<ARCH>_bin.tar.gz
+# 
+# It will use either x64 or aarch64 depending on the target platform
+#
+# HOW TO BUILD THIS IMAGE
+# -----------------------
+# Run:
+#      $ docker build -t oracle/jdk:17 .
+#
+# This command is already scripted in build.sh so you can alternatively run
+#		$ bash build.sh
+#
+# The builder image will be used to uncompress the tar.gz file with the Java Runtime.
+
+FROM oraclelinux:8 as builder
+
+LABEL maintainer="Aurelio Garcia-Ribeyro <[email protected]>"
+
+# Since the files are compressed as tar.gz first dnf install tar. gzip is already in oraclelinux:8
+RUN dnf install -y tar
+	
+# Default to UTF-8 file.encoding
+ENV LANG en_US.UTF-8
+
+# Environment variables for the builder image.
+# Required to validate that you are using the correct file
+ENV JAVA_URL=https://download.oracle.com/java/17/latest \
+	JAVA_HOME=/usr/java/jdk-17
+# (Host name parsing mismatch between Spring and java.net.URI for Oracle Java versions 11-20)
+
+##
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN set -eux; \
+	ARCH="$(uname -m)" && \
+	# Java uses just x64 in the name of the tarball
+    if [ "$ARCH" = "x86_64" ]; \
+        then ARCH="x64"; \
+    fi && \
+    JAVA_PKG="$JAVA_URL"/jdk-17_linux-"${ARCH}"_bin.tar.gz ; \
+	JAVA_SHA256="$(curl "$JAVA_PKG".sha256)" ; \ 
+	curl --output /tmp/jdk.tgz "$JAVA_PKG" && \
+	echo "$JAVA_SHA256" */tmp/jdk.tgz | sha256sum -c; \
+	mkdir -p "$JAVA_HOME"; \
+	tar --extract --file /tmp/jdk.tgz --directory "$JAVA_HOME" --strip-components 1
+	
+## Get a fresh version of OL8 for the final image	
+FROM oraclelinux:8
+
+# Default to UTF-8 file.encoding
+ENV LANG en_US.UTF-8
+ENV	JAVA_HOME=/usr/java/jdk-17
+ENV	PATH $JAVA_HOME/bin:$PATH	
+
+# Environment variable to indicate whether the server is running on Oracle Java or OpenJDK
+ENV JAVA_TYPE=Oracle
+
+# If you need the Java Version you can read it from the release file with 
+# JAVA_VERSION=$(sed -n '/^JAVA_VERSION="/{s///;s/"//;p;}' "$JAVA_HOME"/release);
+
+# Copy the uncompressed Java Runtime from the builder image
+COPY --from=builder $JAVA_HOME $JAVA_HOME
+
+WORKDIR /
+
+# Copy project files to the container
+COPY . .
+
+RUN set -eux; \
+# Ensure we get the latest OL 8 updates available at build time
+	dnf -y update; \
+# JDK assumes freetype is available	
+	dnf install -y \
+		freetype fontconfig \
+	; \
+	rm -rf /var/cache/dnf; \
+	ln -sfT "$JAVA_HOME" /usr/java/default; \
+	ln -sfT "$JAVA_HOME" /usr/java/latest; \
+	for bin in "$JAVA_HOME/bin/"*; do \
+		base="$(basename "$bin")"; \
+		[ ! -e "/usr/bin/$base" ]; \
+		alternatives --install "/usr/bin/$base" "$base" "$bin" 20000; \
+	done;
+	
+
+RUN set -eux; dnf install -y maven
+
+# Build web app with Maven
+RUN mvn clean package
+
+# TCP port that the vulnerable web app will listen on
+ENV PORT=9999
+
+CMD java -jar target/spring-cve-2024-22243-0.1.0.jar ${PORT}
@@ -0,0 +1,126 @@
+# CVE-2024-22243  
+
+**Author: Sean Pesce**  
+
+This project contains an example web application that demonstrates exploitable scenarios for
+[CVE-2024-22243](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22243),
+a URL-parsing vulnerability in the Java [Spring Framework](https://spring.io/)
+(official disclosure [here](https://spring.io/security/cve-2024-22243)).
+
+
+# Vulnerability  
+
+Affected versions of Spring parse the
+["userinfo" segment](https://en.wikipedia.org/wiki/Uniform_Resource_Identifier#Syntax) of URLs in a
+unique way, potentially resulting in the extraction of a host name segment that differs from many
+other common libraries.
+
+The abnormal behavior is due to the following regular expression ("regex") in the
+[`UriComponentsBuilder`](https://github.com/spring-projects/spring-framework/blob/2e07f9ab33d882876f46912fcea08030b2593d49/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java#L79)
+class (introduced by
+[this commit](https://github.com/spring-projects/spring-framework/commit/a4484bb767805ec9397302f1738d33123fb35dfb)
+in 2014):
+
+```java
+private static final String USERINFO_PATTERN = "([^@\\[/?#]*)";
+```
+
+This regex does not permit the "left bracket" character (`[`) in the user info segment. However,
+Spring appears to be an outlier with this behavior, so calling `getHost()` on a
+[`UriComponents`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/UriComponents.html)
+object constructed using [`UriComponentsBuilder.fromUriString`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/UriComponentsBuilder.html#fromUriString%28java.lang.String%29)
+or
+[`UriComponentsBuilder.fromHttpUrl`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/UriComponentsBuilder.html#fromHttpUrl%28java.lang.String%29)
+can result in unexpected behavior. The
+[`RestTemplate`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html)
+and [`WebClient`](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/reactive/function/client/WebClient.html)
+classes are also affected due to their internal use of `UriComponentsBuilder`; therefore,
+implementations can be rendered vulnerable even without direct use of `UriComponentsBuilder`.
+
+For specially-crafted inputs, Spring will return a host name value that differs from all of the
+following:
+
+ * Modern web browsers, including:
+   * Chrome (and other Chromium-based browsers)
+   * Firefox
+   * Safari
+ * [`java.net.URI`](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/net/URI.html) (reportedly only for specific Java versions; other versions raise a `URISyntaxException`)
+ * [`java.net.URL`](https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/net/URL.html)
+ * `curl`
+ * [`android.net.Uri`](https://developer.android.com/reference/android/net/Uri)
+ * [`okhttp3.HttpUrl`](https://square.github.io/okhttp/3.x/okhttp/okhttp3/HttpUrl.html)
+ * (Python 3) [`urllib.parse.urlparse`](https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlparse)
+
+(Note that this list is non-exhaustive.)  
+
+This behavior potentially renders Spring-based web applications vulnerable to
+[open redirect](https://cwe.mitre.org/data/definitions/601.html) and
+[server-side request forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) if the
+dependent implementation uses trusted host names for authorization or other security-relevant
+mechanisms.  
+
+## Examples  
+
+The example web application contains two vulnerable endpoints.
+
+The first endpoint, `/redirect`, shows how Spring's abnormal URL parsing can result in an open
+redirect. It can be exploited using a URL such as the following:
+
+```
+https://127.0.0.1[@evil.com
+```
+
+The second endpoint, `/health-check`, demonstrates how a mismatch in URL parsing between Spring and
+the Java standard library `URL` class can result in server-side request forgery (SSRF). It can be
+exploited using a URL such as the following:
+
+```
+https://evil.com[@127.0.0.1
+```
+
+
+## Usage  
+
+To build this project with Maven, simply run the following command (tested with OpenJDK 17):
+
+```
+mvn clean package
+```
+
+Then, start the web app with a command such as the following:
+
+```
+java -jar seanpesce-cve-2024-22243.jar 9999
+```
+
+The web app will be accessible at `http://127.0.0.1:9999/`.
+
+
+## Docker  
+
+To build the docker image, run the following command:
+
+```
+docker build -t seanpesce-cve-2024-22243:latest .
+```
+
+Then, start the web app with a command such as the following:
+
+```
+docker run -i -e PORT=9999 -p 9999:9999 seanpesce-cve-2024-22243:latest
+```
+
+The web app will be accessible at `http://127.0.0.1:9999/` on the Docker host.
+
+
+## Semgrep  
+
+This repository also contains [semgrep](https://semgrep.dev/) rules to assist in scanning for
+potentially-vulnerable code paths. [`spring-cve-2024-22243_loose.yaml`](semgrep/spring-cve-2024-22243_loose.yaml)
+performs naive scans for any use of the vulnerable APIs; as such, it will often return a large
+number of false positives. [`spring-cve-2024-22243_strict.yaml`](semgrep/spring-cve-2024-22243_strict.yaml)
+attempts to use stricter logic and taint analysis; however, this has not been
+thoroughly tested and has high potential to miss some vulnerable implementations (especially when not using
+Semgrep Pro, which does not support cross-file analysis).  
+
+
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Author: Sean Pesce -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.seanpesce</groupId>
+  <artifactId>spring-cve-2024-22243</artifactId>
+  <packaging>jar</packaging>
+  <version>0.1.0</version>
+
+  <properties>
+    <maven.compiler.source>17</maven.compiler.source>
+    <maven.compiler.target>17</maven.compiler.target>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-shade-plugin</artifactId>
+        <version>3.2.4</version>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>shade</goal>
+            </goals>
+            <configuration>
+              <transformers>
+                <transformer
+                  implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                  <mainClass>com.seanpesce.spring.VulnerableWebApp</mainClass>
+                </transformer>
+              </transformers>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+      <version>3.2.1</version>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-thymeleaf</artifactId>
+      <version>3.2.2</version>
+    </dependency>
+    <!-- WebClient class dependency -->
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-webflux</artifactId>
+      <version>3.2.2</version>
+    </dependency>
+  </dependencies>
+</project>