SPEL漏报问题 #25
Labels
bug
Something isn't working
Comments
|
感谢issue,最近太忙忽略了很多issue,后续会跟进修复 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
审计代码为datagear4.6.0 (https://github.com/datageartech/datagear/tree/v4.6.0)
尝试使用插件复现issuse的漏洞 datageartech/datagear#32
使用sink查找器,RCE下SPEL_RCE的sink类为org.springframework.expression.ExpressionParser#parseExpression(java.lang.String),sink方法为parseExpression。
并不能找到org.datagear.persistence.support.ConversionSqlParamValueMapper#evaluateVariableExpression中的
org.springframework.expression.common.TemplateAwareExpressionParser#parseExpression(java.lang.String)
(如是我使用方式有问题,请忽略这条issue)
The text was updated successfully, but these errors were encountered: