velocity的標籤中支持$abc 這樣的語法,如果abc是一個對象,則寫模板時就可以利用它來進行反射,調用一些危險的方法,如
$vm.getClass().newInstance()
#set ($exec = "kxlzx")$exec.class.forName("java.lang.Runtime").getRuntime().exec("calc")
通過反射,讓系統本身出現了安全漏洞,這類危險的操作,可以通過屏蔽反射來杜絕,在velocity屬性中添加一行配置即可
runtime.introspector.uberspect = org.apache.velocity.util.introspection.SecureUberspector
velocity默認的配置爲:
runtime.introspector.uberspect = org.apache.velocity.util.introspection.UberspectImpl
本文主要討論從velocity初始化過程到解析標籤。以及如何通過
SecureUberspector
來屏蔽反射,歡迎補充。
velocity的內省主要的用處是解析如$a.id,$a.name的引用,與其說是內省,不如說是通過反射找get方法。。。。
關於內省的概念 傳送門:http://www.cnblogs.com/peida/archive/2013/06/03/3090842.html
先來分析velocity的初始化過程
這裏只是對velocity初始化過程的概括,初始化過程大量依賴的配置參數,即velocity.properties,用戶一般自定義該文件或直接載入Properties,默認的配置目錄爲
org/apache/velocity/runtime/defaults/velocity.properties
調用方法渲染流程
VelocityEngine velocityEngine = new VelocityEngine("/velocity.properties"); velocityEngine.evaluate(context, writer, "logMsgName", new InputStreamReader(VelocityTest2.class.getResource("test.vm").openStream()));
生成NodeTree的代碼比較複雜,可能用的是某種算法,總之,最後的Tree裏面包含了所有的vm信息,如果是parse\include會生成AsTDirective,如果是文本,會生成ASTText對應,如果是set,會生成ASTSetDirective,如果是引用,會生成ASTReference對應。。等等。。
這裏列舉幾個標籤的處理流程
parse
從源代碼分析來看,parse標籤裏面的內容甚至可以寫成動態的,如
#parse("${a}.vm")
發送includeEvent和velocity初始化過程中的各個事件處理器是對應的,引入vm文件外的文件,都會觸發includeEvent,然後根據其返回值,來找到真正的vm資源文件,因此,我們可以在eventHander中重定向返回的資源位置,如 a.vm -> b.vm
另外,parse和include 對velocity來說,是兩種type,解析parse文件時,會把context傳入進行解析
引用標籤,如$a,$vm.id
普通的引用渲染流程不包括子流程 “SecureUberspector攔截方法”,如果引用值爲$a.id ,則會去找a.getid() -> a.getId(),,然後反射調用method.invoke(objecct)
引用的渲染流程會根據identifier和method進行不同的流程
identifier方式即$a.id
method方式即$a.println()
爲什麼下面兩行嗲嗎的效果一樣呢
$exec.class $exec.getClass()
原因就在這裏,velocity把class當成一個屬性來處理了,因此,去找getClass方法,恰好對象都有getClass方法,這樣效果就和直接寫$exec.getClass()一樣了
SecureUberspector如果達到屏蔽反射方法的呢,先來看一看它的類依賴
UberspecttImpl中有一個introspector對象,SecureUberspector對其進行了重定義SecureUberspector的初始化方法如下,badPackages和badClass的配置也是在默認的velocity.properties中配置的,用戶可以添加更多的配置
public void init() { String [] badPackages = runtimeServices.getConfiguration() .getStringArray(RuntimeConstants.INTROSPECTOR_RESTRICT_PACKAGES); String [] badClasses = runtimeServices.getConfiguration() .getStringArray(RuntimeConstants.INTROSPECTOR_RESTRICT_CLASSES); introspector = new SecureIntrospectorImpl(badClasses, badPackages, log); }
SecureIntrospectorImpl實現了方法
public Method getMethod(Class clazz, String methodName, Object[] params) throws IllegalArgumentException { if (!checkObjectExecutePermission(clazz, methodName)) { log.warn("Cannot retrieve method " + methodName + " from object of class " + clazz.getName() + " due to security restrictions."); return null; } else { return super.getMethod(clazz, methodName, params); } }
/** * Determine which methods and classes to prevent from executing. Always blocks * methods wait() and notify(). Always allows methods on Number, Boolean, and String. * Prohibits method calls on classes related to reflection and system operations. * For the complete list, see the properties <code>introspector.restrict.classes</code> * and <code>introspector.restrict.packages</code>. * * @param clazz Class on which method will be called * @param methodName Name of method to be called * @see org.apache.velocity.util.introspection.SecureIntrospectorControl#checkObjectExecutePermission(java.lang.Class, java.lang.String) */ public boolean checkObjectExecutePermission(Class clazz, String methodName) { /** * check for wait and notify */ if (methodName != null && (methodName.equals("wait") || methodName.equals("notify")) ) { return false; } /** * Always allow the most common classes - Number, Boolean and String */ else if (Number.class.isAssignableFrom(clazz)) { return true; } else if (Boolean.class.isAssignableFrom(clazz)) { return true; } else if (String.class.isAssignableFrom(clazz)) { return true; } /** * Always allow Class.getName() */ else if (Class.class.isAssignableFrom(clazz) && (methodName != null) && methodName.equals("getName")) { return true; } /** * check the classname (minus any array info) * whether it matches disallowed classes or packages */ String className = clazz.getName(); if (className.startsWith("[L") && className.endsWith(";")) { className = className.substring(2, className.length() - 1); } int dotPos = className.lastIndexOf('.'); String packageName = (dotPos == -1) ? "" : className.substring(0, dotPos); for (int i = 0, size = badPackages.length; i < size; i++) { if (packageName.equals(badPackages[i])) { return false; } } for (int i = 0, size = badClasses.length; i < size; i++) { if (className.equals(badClasses[i])) { return false; } } return true; }
SecureIntrospectorImpl
這裏可以看見它對對象訪問方法的屏蔽操作
badPackage:java.lang.refect
badClass:
那麼,爲什麼我們不直接使用SecureIntrospectorImpl呢,因爲它僅僅是一個工具
SecureUberspector類對foreach標籤也進行了支持
/** * Get an iterator from the given object. Since the superclass method * this secure version checks for execute permission. * * @param obj object to iterate over * @param i line, column, template info * @return Iterator for object * @throws Exception */ public Iterator getIterator(Object obj, Info i) throws Exception { if (obj != null) { SecureIntrospectorControl sic = (SecureIntrospectorControl)introspector; if (sic.checkObjectExecutePermission(obj.getClass(), null)) { return super.getIterator(obj, i); } else { log.warn("Cannot retrieve iterator from " + obj.getClass() + " due to security restrictions."); } } return null; }
就這樣,foreach時,如果對象是java.lang.refect包下的類或badClass,就沒有權限了