diff --git a/tools/aegis4j/build.gradle b/tools/aegis4j/build.gradle index b70ae385c2..3d3d4ebeb2 100644 --- a/tools/aegis4j/build.gradle +++ b/tools/aegis4j/build.gradle @@ -32,6 +32,7 @@ dependencies { } // testImplementation group: 'com.ea.agentloader', name: 'ea-agent-loader', version: '1.0.3' testImplementation "com.google.guava:guava:$guava_version" + testImplementation "org.yaml:snakeyaml:1.33" } sourceCompatibility = 8 diff --git a/tools/aegis4j/src/test/java/net/gredler/aegis4j/AegisAgentSystemPropertyTest.java b/tools/aegis4j/src/test/java/net/gredler/aegis4j/AegisAgentSystemPropertyTest.java index 2a357c3ed2..93ba4aaf76 100644 --- a/tools/aegis4j/src/test/java/net/gredler/aegis4j/AegisAgentSystemPropertyTest.java +++ b/tools/aegis4j/src/test/java/net/gredler/aegis4j/AegisAgentSystemPropertyTest.java @@ -8,7 +8,7 @@ import org.junit.jupiter.api.Test; import static org.junit.jupiter.api.Assertions.assertEquals; /** - * Tests {@link AegisAgent} monitoring via system properties. + * Tests {@link AegisAgent} extra args via system properties. */ public class AegisAgentSystemPropertyTest { @AfterAll diff --git a/tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2022_1471.java b/tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2022_1471.java new file mode 100644 index 0000000000..cc78e58670 --- /dev/null +++ b/tools/aegis4j/src/test/java/net/gredler/aegis4j/CVE_2022_1471.java @@ -0,0 +1,31 @@ +/* Copyright (c) 2022, Daniel Gredler. All rights reserved. */ + +package net.gredler.aegis4j; + +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.Test; +import org.yaml.snakeyaml.constructor.Constructor; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.fail; + +/** + * Tests SnakeYAML blocking. + */ +public class CVE_2022_1471 { + @AfterAll + public static void uninstallAgent() throws Exception { + System.clearProperty("aegis4j.additional.args"); + } + + @Test + public void test() throws Exception { + TestUtils.installAgent("path=../resources/test/snakeyaml-mods.properties"); + try { + Constructor banned = new Constructor(this.getClass()); + fail("Exception expected"); + } catch (RuntimeException e) { + assertEquals("SnakeYAML Constructor blocked by aegis4j", e.getMessage()); + } + } +} diff --git a/tools/aegis4j/src/test/resources/snakeyaml-mods.properties b/tools/aegis4j/src/test/resources/snakeyaml-mods.properties new file mode 100644 index 0000000000..fb117c1956 --- /dev/null +++ b/tools/aegis4j/src/test/resources/snakeyaml-mods.properties @@ -0,0 +1,8 @@ +# format: ..= +# CVE-2022-1471 +SNAKEYAML.org.yaml.snakeyaml.constructor.Constructor.Constructor=throw new java.lang.RuntimeException("SnakeYAML Constructor blocked by aegis4j"); +# CVE-2020-29582 +#KOTLIN.kotlin.io.FilesKt__UtilsKt.createTempDir=throw new java.lang.RuntimeException("Kotlin createTempDir blocked by aegis4j"); +#KOTLIN.kotlin.io.FilesKt__UtilsKt.createTempFile=throw new java.lang.RuntimeException("Kotlin createTempFile blocked by aegis4j"); +# CVE-2020-8908 +#GUAVA.com.google.common.io.Files.createTempDir=throw new java.lang.RuntimeException("Guava createTempDir blocked by aegis4j"); \ No newline at end of file