CVE-2021-28170 Fix expression delimiter escaping #160
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: rmartinc [email protected]
This was referenced Jul 1, 2021
|
Any ETA on when this fix will be released into a new version? |
|
+1 for a merge and new version |
|
Can we have this fix into 3.x? it is not possible for us to upgrade 4.x due to packaging changes |
|
found a good replacement from jboss repo - https://repository.jboss.org/nexus/content/repositories/thirdparty-releases/org/glassfish/jakarta.el/ |
|
There are missing copyright headers. I'll merge it and we'll add it later respecting the authorship. |
Merged
|
We need this fix as well in v3.x as it'll be impossible at the moment to upgrade to v4.x. Could you please let us know whether you're planning to port it in v3.x and provide an ETA if so? Thanks, |
el-bot
pushed a commit
that referenced
this pull request
Aug 17, 2021
Co-authored-by: rmartinc [email protected]
senivam
pushed a commit
to senivam/el-ri
that referenced
this pull request
Aug 17, 2021
Co-authored-by: rmartinc [email protected]
m0mus
pushed a commit
that referenced
this pull request
Aug 17, 2021
* CVE-2021-28170 Fix expression delimiter escaping (#160) Co-authored-by: rmartinc [email protected] * Fix copyrights (#164) Signed-off-by: Jorge Bescos Gascon <[email protected]> * javax adaptation Signed-off-by: Maxim Nesen <[email protected]> Co-authored-by: TomasHofman <[email protected]> Co-authored-by: jbescos <[email protected]>
|
is it merged in version 3.0.3 or we need to upgrade for 4.x. to fix the issue |
|
@deepmanit The changes are in https://github.com/eclipse-ee4j/el-ri/releases/tag/3.0.4-impl but it hasn't been published to Maven Central yet. |
@joschi any idea when will the 3.x be pushed to Maven central? It would be really helpful if we get it ASAP in Maven Central :) |
It's been there for a month now: https://search.maven.org/artifact/com.sun.el/el-ri/3.0.4/jar |
@fenneclabs but I don't see jakarta.el:jakarta.el-api:3.0.4 in maven central. Am I missing something here? |
Yes. The API and the implementation are separate and are provided in separate JARs. This is a vulnerability in the Glassfish implementation of the EL API so the Glassfish implementation was updated. The EL API is unaffected. |
1 task
hankem
added a commit
to TNG/config-builder
that referenced
this pull request
Sep 10, 2022
After `javax.el` v. 3.0.1-b*, the artifactId was changed to `jakarta.el`, cf. https://github.com/javaee/uel-ri: > This project is now part of the EE4J initiative. > This repository has been archived > as all activities are now happening in the corresponding Eclipse repository. `jakarta.el` v. <= 3.0.3 (and likewise previous versions of `javax.el`) suffer from https://nvd.nist.gov/vuln/detail/CVE-2021-28170. Its effect can be seen in the following unit tests (after jakartaee/expression-language#160): ``` @test public void testEscape01() { testEvaluation("$${1+1}", "$2"); testEvaluation("$\\${1+1}", "$${1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape02() { testEvaluation("$#{1+1}", "$2"); testEvaluation("$\\#{1+1}", "$#{1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape03() { testEvaluation("##{1+1}", "#2"); testEvaluation("#\\#{1+1}", "##{1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape04() { testEvaluation("#${1+1}", "#2"); testEvaluation("#\\${1+1}", "#${1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } void testEvaluation(String expression, String expectedValue) { javax.el.ELContext context = new javax.el.ELProcessor().getELManager().getELContext(); Object evaluatedExpression = javax.el.ELManager.getExpressionFactory() .createValueExpression(context, expression, String.class) .getValue(context); assertThat(evaluatedExpression).isEqualTo(expectedValue); } ``` Signed-off-by: Manfred Hanke <[email protected]>
hankem
added a commit
to TNG/config-builder
that referenced
this pull request
Sep 10, 2022
After `javax.el` v. 3.0.1-b*, the artifactId was changed to `jakarta.el`, cf. https://github.com/javaee/uel-ri: > This project is now part of the EE4J initiative. > This repository has been archived > as all activities are now happening in the corresponding Eclipse repository. `jakarta.el` v. <= 3.0.3 (and likewise previous versions of `javax.el`) suffer from https://nvd.nist.gov/vuln/detail/CVE-2021-28170. Its effect can be seen in the following unit tests (after jakartaee/expression-language#160): ``` @test public void testEscape01() { testEvaluation("$${1+1}", "$2"); testEvaluation("$\\${1+1}", "$${1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape02() { testEvaluation("$#{1+1}", "$2"); testEvaluation("$\\#{1+1}", "$#{1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape03() { testEvaluation("##{1+1}", "#2"); testEvaluation("#\\#{1+1}", "##{1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape04() { testEvaluation("#${1+1}", "#2"); testEvaluation("#\\${1+1}", "#${1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } void testEvaluation(String expression, String expectedValue) { javax.el.ELContext context = new javax.el.ELProcessor().getELManager().getELContext(); Object evaluatedExpression = javax.el.ELManager.getExpressionFactory() .createValueExpression(context, expression, String.class) .getValue(context); assertThat(evaluatedExpression).isEqualTo(expectedValue); } ``` Signed-off-by: Manfred Hanke <[email protected]>
hankem
added a commit
to TNG/config-builder
that referenced
this pull request
Sep 11, 2022
After `javax.el` v. 3.0.1-b*, the artifactId was changed to `jakarta.el`, cf. https://github.com/javaee/uel-ri: > This project is now part of the EE4J initiative. > This repository has been archived > as all activities are now happening in the corresponding Eclipse repository. `jakarta.el` v. <= 3.0.3 (and likewise previous versions of `javax.el`) suffer from https://nvd.nist.gov/vuln/detail/CVE-2021-28170. Its effect can be seen in the following unit tests (after jakartaee/expression-language#160): ``` @test public void testEscape01() { testEvaluation("$${1+1}", "$2"); testEvaluation("$\\${1+1}", "$${1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape02() { testEvaluation("$#{1+1}", "$2"); testEvaluation("$\\#{1+1}", "$#{1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape03() { testEvaluation("##{1+1}", "#2"); testEvaluation("#\\#{1+1}", "##{1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape04() { testEvaluation("#${1+1}", "#2"); testEvaluation("#\\${1+1}", "#${1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } void testEvaluation(String expression, String expectedValue) { javax.el.ELContext context = new javax.el.ELProcessor().getELManager().getELContext(); Object evaluatedExpression = javax.el.ELManager.getExpressionFactory() .createValueExpression(context, expression, String.class) .getValue(context); assertThat(evaluatedExpression).isEqualTo(expectedValue); } ``` Signed-off-by: Manfred Hanke <[email protected]>
hankem
added a commit
to TNG/config-builder
that referenced
this pull request
Sep 12, 2022
After `javax.el` v. 3.0.1-b*, the artifactId was changed to `jakarta.el`, cf. https://github.com/javaee/uel-ri: > This project is now part of the EE4J initiative. > This repository has been archived > as all activities are now happening in the corresponding Eclipse repository. `jakarta.el` v. <= 3.0.3 (and likewise previous versions of `javax.el`) suffer from https://nvd.nist.gov/vuln/detail/CVE-2021-28170. Its effect can be seen in the following unit tests (after jakartaee/expression-language#160): ``` @test public void testEscape01() { testEvaluation("$${1+1}", "$2"); testEvaluation("$\\${1+1}", "$${1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape02() { testEvaluation("$#{1+1}", "$2"); testEvaluation("$\\#{1+1}", "$#{1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape03() { testEvaluation("##{1+1}", "#2"); testEvaluation("#\\#{1+1}", "##{1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape04() { testEvaluation("#${1+1}", "#2"); testEvaluation("#\\${1+1}", "#${1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } void testEvaluation(String expression, String expectedValue) { javax.el.ELContext context = new javax.el.ELProcessor().getELManager().getELContext(); Object evaluatedExpression = javax.el.ELManager.getExpressionFactory() .createValueExpression(context, expression, String.class) .getValue(context); assertThat(evaluatedExpression).isEqualTo(expectedValue); } ``` Signed-off-by: Manfred Hanke <[email protected]>
hankem
added a commit
to TNG/config-builder
that referenced
this pull request
Sep 15, 2022
After `javax.el` v. 3.0.1-b*, the artifactId was changed to `jakarta.el`, cf. https://github.com/javaee/uel-ri: > This project is now part of the EE4J initiative. > This repository has been archived > as all activities are now happening in the corresponding Eclipse repository. `jakarta.el` v. <= 3.0.3 (and likewise previous versions of `javax.el`) suffer from https://nvd.nist.gov/vuln/detail/CVE-2021-28170. Its effect can be seen in the following unit tests (after jakartaee/expression-language#160): ``` @test public void testEscape01() { testEvaluation("$${1+1}", "$2"); testEvaluation("$\\${1+1}", "$${1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape02() { testEvaluation("$#{1+1}", "$2"); testEvaluation("$\\#{1+1}", "$#{1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape03() { testEvaluation("##{1+1}", "#2"); testEvaluation("#\\#{1+1}", "##{1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape04() { testEvaluation("#${1+1}", "#2"); testEvaluation("#\\${1+1}", "#${1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } void testEvaluation(String expression, String expectedValue) { javax.el.ELContext context = new javax.el.ELProcessor().getELManager().getELContext(); Object evaluatedExpression = javax.el.ELManager.getExpressionFactory() .createValueExpression(context, expression, String.class) .getValue(context); assertThat(evaluatedExpression).isEqualTo(expectedValue); } ``` Signed-off-by: Manfred Hanke <[email protected]>
hankem
added a commit
to TNG/config-builder
that referenced
this pull request
Sep 18, 2022
After `javax.el` v. 3.0.1-b*, the artifactId was changed to `jakarta.el`, cf. https://github.com/javaee/uel-ri: > This project is now part of the EE4J initiative. > This repository has been archived > as all activities are now happening in the corresponding Eclipse repository. `jakarta.el` v. <= 3.0.3 (and likewise previous versions of `javax.el`) suffer from https://nvd.nist.gov/vuln/detail/CVE-2021-28170. Its effect can be seen in the following unit tests (after jakartaee/expression-language#160): ``` @test public void testEscape01() { testEvaluation("$${1+1}", "$2"); testEvaluation("$\\${1+1}", "$${1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape02() { testEvaluation("$#{1+1}", "$2"); testEvaluation("$\\#{1+1}", "$#{1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape03() { testEvaluation("##{1+1}", "#2"); testEvaluation("#\\#{1+1}", "##{1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape04() { testEvaluation("#${1+1}", "#2"); testEvaluation("#\\${1+1}", "#${1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } void testEvaluation(String expression, String expectedValue) { javax.el.ELContext context = new javax.el.ELProcessor().getELManager().getELContext(); Object evaluatedExpression = javax.el.ELManager.getExpressionFactory() .createValueExpression(context, expression, String.class) .getValue(context); assertThat(evaluatedExpression).isEqualTo(expectedValue); } ``` Signed-off-by: Manfred Hanke <[email protected]>
hankem
added a commit
to TNG/config-builder
that referenced
this pull request
Sep 23, 2022
After `javax.el` v. 3.0.1-b*, the artifactId was changed to `jakarta.el`, cf. https://github.com/javaee/uel-ri: > This project is now part of the EE4J initiative. > This repository has been archived > as all activities are now happening in the corresponding Eclipse repository. `jakarta.el` v. <= 3.0.3 (and likewise previous versions of `javax.el`) suffer from https://nvd.nist.gov/vuln/detail/CVE-2021-28170. Its effect can be seen in the following unit tests (after jakartaee/expression-language#160): ``` @test public void testEscape01() { testEvaluation("$${1+1}", "$2"); testEvaluation("$\\${1+1}", "$${1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape02() { testEvaluation("$#{1+1}", "$2"); testEvaluation("$\\#{1+1}", "$#{1+1}"); // is actually "$\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape03() { testEvaluation("##{1+1}", "#2"); testEvaluation("#\\#{1+1}", "##{1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } @test public void testEscape04() { testEvaluation("#${1+1}", "#2"); testEvaluation("#\\${1+1}", "#${1+1}"); // is actually "#\2" with {javax,jakarta}.el < 3.0.4 } void testEvaluation(String expression, String expectedValue) { javax.el.ELContext context = new javax.el.ELProcessor().getELManager().getELContext(); Object evaluatedExpression = javax.el.ELManager.getExpressionFactory() .createValueExpression(context, expression, String.class) .getValue(context); assertThat(evaluatedExpression).isEqualTo(expectedValue); } ``` Signed-off-by: Manfred Hanke <[email protected]>
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Co-authored-by: rmartinc [email protected]
Fixes #155