mirror of
https://github.com/corda/corda.git
synced 2025-01-21 03:55:00 +00:00
Block H2 Web Console
This commit is contained in:
parent
b7ac0504f3
commit
1b7bd2d935
@ -35,6 +35,8 @@ dependencies {
|
|||||||
testImplementation "org.yaml:snakeyaml:1.33"
|
testImplementation "org.yaml:snakeyaml:1.33"
|
||||||
testImplementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
|
testImplementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
|
||||||
testImplementation "io.netty:netty:3.10.5.Final"
|
testImplementation "io.netty:netty:3.10.5.Final"
|
||||||
|
testImplementation "com.h2database:h2:$h2_version"
|
||||||
|
testImplementation "javax.servlet:javax.servlet-api:${servlet_version}" // Needed to load H2 Web Console
|
||||||
}
|
}
|
||||||
|
|
||||||
sourceCompatibility = 8
|
sourceCompatibility = 8
|
||||||
|
@ -63,6 +63,8 @@ public final class Patcher implements ClassFileTransformer {
|
|||||||
System.out.println();
|
System.out.println();
|
||||||
} catch (ClassNotFoundException e) {
|
} catch (ClassNotFoundException e) {
|
||||||
System.out.println("not present.");
|
System.out.println("not present.");
|
||||||
|
} catch (NoClassDefFoundError e) {
|
||||||
|
System.out.println("not present.");
|
||||||
} catch (UnmodifiableClassException e) {
|
} catch (UnmodifiableClassException e) {
|
||||||
throw new IOException("Problems transforming class", e);
|
throw new IOException("Problems transforming class", e);
|
||||||
}
|
}
|
||||||
@ -109,7 +111,6 @@ public final class Patcher implements ClassFileTransformer {
|
|||||||
}
|
}
|
||||||
return clazz.toBytecode();
|
return clazz.toBytecode();
|
||||||
} catch (NotFoundException | CannotCompileException | IOException e) {
|
} catch (NotFoundException | CannotCompileException | IOException e) {
|
||||||
e.printStackTrace();
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,31 @@
|
|||||||
|
/* Copyright (c) 2022, Daniel Gredler. All rights reserved. */
|
||||||
|
|
||||||
|
package net.gredler.aegis4j;
|
||||||
|
|
||||||
|
import org.h2.server.web.WebServlet;
|
||||||
|
import org.junit.jupiter.api.AfterAll;
|
||||||
|
import org.junit.jupiter.api.Test;
|
||||||
|
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||||
|
import static org.junit.jupiter.api.Assertions.fail;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tests H2 Web Console blocking.
|
||||||
|
*/
|
||||||
|
public class CVE_2018_10054 {
|
||||||
|
@AfterAll
|
||||||
|
public static void uninstallAgent() throws Exception {
|
||||||
|
System.clearProperty("aegis4j.additional.args");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void test() throws Exception {
|
||||||
|
TestUtils.installAgent("path=../resources/test/h2-mods.properties");
|
||||||
|
try {
|
||||||
|
new WebServlet();
|
||||||
|
fail("Exception expected");
|
||||||
|
} catch (RuntimeException e) {
|
||||||
|
assertEquals("H2 Console blocked by aegis4j", e.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
3
tools/aegis4j/src/test/resources/h2-mods.properties
Normal file
3
tools/aegis4j/src/test/resources/h2-mods.properties
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# format: <feature>.<class-name>.<method-name>=<replacement-code>
|
||||||
|
# CVE-2018-10054, CVE-2021-42392, CVE-2018-14335
|
||||||
|
H2.org.h2.server.web.WebServlet.WebServlet=throw new java.lang.RuntimeException("H2 Console blocked by aegis4j");
|
@ -4,6 +4,7 @@
|
|||||||
# Patches the 3 protected methods which InitialContext uses internally to get all Context instances,
|
# Patches the 3 protected methods which InitialContext uses internally to get all Context instances,
|
||||||
# so that these methods always throw a NoInitialContextException (NICE). As a result, no JNDI lookups
|
# so that these methods always throw a NoInitialContextException (NICE). As a result, no JNDI lookups
|
||||||
# are possible.
|
# are possible.
|
||||||
|
# Also: CVE-2022-23221, CVE-2021-42392
|
||||||
JNDI.javax.naming.InitialContext.getURLOrDefaultInitCtx=throw new javax.naming.NoInitialContextException("JNDI context creation blocked by aegis4j");
|
JNDI.javax.naming.InitialContext.getURLOrDefaultInitCtx=throw new javax.naming.NoInitialContextException("JNDI context creation blocked by aegis4j");
|
||||||
JNDI.javax.naming.InitialContext.getDefaultInitCtx=throw new javax.naming.NoInitialContextException("JNDI context creation blocked by aegis4j");
|
JNDI.javax.naming.InitialContext.getDefaultInitCtx=throw new javax.naming.NoInitialContextException("JNDI context creation blocked by aegis4j");
|
||||||
# RMI
|
# RMI
|
||||||
@ -63,3 +64,5 @@ KOTLIN.kotlin.io.FilesKt__UtilsKt.createTempFile=throw new java.lang.RuntimeExce
|
|||||||
GUAVA.com.google.common.io.Files.createTempDir=throw new java.lang.RuntimeException("Guava createTempDir blocked by aegis4j");
|
GUAVA.com.google.common.io.Files.createTempDir=throw new java.lang.RuntimeException("Guava createTempDir blocked by aegis4j");
|
||||||
# CVE-2019-16869 - HttpObjectDecoder was called HttpMessageDecoder back then
|
# CVE-2019-16869 - HttpObjectDecoder was called HttpMessageDecoder back then
|
||||||
NETTYHTTP.org.jboss.netty.handler.codec.http.HttpMessageDecoder.HttpMessageDecoder=throw new java.lang.RuntimeException("netty-codec-http HttpMessageDecoder blocked by aegis4j");
|
NETTYHTTP.org.jboss.netty.handler.codec.http.HttpMessageDecoder.HttpMessageDecoder=throw new java.lang.RuntimeException("netty-codec-http HttpMessageDecoder blocked by aegis4j");
|
||||||
|
# CVE-2018-10054, CVE-2021-42392, CVE-2018-14335
|
||||||
|
H2.org.h2.server.web.WebServlet.WebServlet=throw new java.lang.RuntimeException("H2 Console blocked by aegis4j");
|
Loading…
Reference in New Issue
Block a user