Site icon API Security Blog

OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)

SpEL Injection in PUT /api/v1/policies (GHSL-2023-252) Please note, only authorized and admin role users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability CompiledRule::validateExpression is also called from PolicyRepository.prepare “`java @Override public void prepare(Policy policy, boolean update) { validateRules(policy); } … public void validateRules(Policy policy) { List rules = policy.getRules(); if (nullOrEmpty(rules)) { throw new IllegalArgumentException(CatalogExceptionMessage.EMPTY_RULES_IN_POLICY); } // Validate all the expressions in the rule for (Rule rule : rules) { CompiledRule.validateExpression(rule.getCondition(), Boolean.class); rule.getResources().sort(String.CASE_INSENSITIVE_ORDER); rule.getOperations().sort(Comparator.comparing(MetadataOperation::value)); // Remove redundant resources rule.setResources(filterRedundantResources(rule.getResources())); // Remove redundant operations rule.setOperations(filterRedundantOperations(rule.getOperations())); } rules.sort(Comparator.comparing(Rule::getName)); } “` prepare() is called from EntityRepository.prepareInternal() which, in turn, gets called from the EntityResource.createOrUpdate(): “`java public Response createOrUpdate(UriInfo uriInfo, SecurityContext securityContext, T entity) { repository.prepareInternal(entity, true); // If entity does not exist, this is…Read More

Exit mobile version