Skip to content

添加 controller #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cccfeng wants to merge 2 commits into
base: master
Choose a base branch
from
Open

添加 controller #9

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
adadb14
feat: add /CommandInject2.java
cccfeng Mar 16, 2025
138578b
Update src/main/java/org/joychou/controller/CommandInject2.java
cccfeng Mar 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 68 additions & 0 deletions src/main/java/org/joychou/controller/CommandInject2.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
package org.joychou.controller;

Comment on lines +1 to +2
Copy link
Owner Author

@cccfeng cccfeng Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HELLO 1

import org.joychou.security.SecurityUtil;
import org.joychou.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

@RestController
public class CommandInject {
Comment on lines +1 to +14
Copy link

@coderabbitai coderabbitai bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

文件名与类名不一致

文件名为 CommandInject2.java,但类名为 CommandInject。这会导致编译错误。

-public class CommandInject {
+public class CommandInject2 {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
package org.joychou.controller;
import org.joychou.security.SecurityUtil;
import org.joychou.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@RestController
public class CommandInject {
package org.joychou.controller;
import org.joychou.security.SecurityUtil;
import org.joychou.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@RestController
public class CommandInject2 {
🤖 Prompt for AI Agents 
In src/main/java/org/joychou/controller/CommandInject2.java at lines 1 to 14,
the class name CommandInject does not match the file name CommandInject2.java,
causing a compilation error. Rename the class to CommandInject2 to match the
file name exactly.


protected final Logger logger = LoggerFactory.getLogger(this.getClass());

/**
* http://localhost:8080/codeinject?filepath=/tmp;cat /etc/passwd
*
* @param filepath filepath
* @return result
*/
@GetMapping("/codeinject")
public String codeInject(String filepath) throws IOException {

String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
Comment on lines +24 to +32
Copy link

@coderabbitai coderabbitai bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

严重安全漏洞:命令注入

此方法存在严重的命令注入漏洞。用户输入的 filepath 参数直接拼接到 shell 命令中,没有进行任何过滤或转义。攻击者可以通过注入特殊字符(如分号、管道符等)执行任意命令。

建议使用以下方式修复:

 @GetMapping("/codeinject")
 public String codeInject(String filepath) throws IOException {
-    String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
+    // 方案1:使用参数化命令,避免 shell 解析
+    String[] cmdList = new String[]{"ls", "-la", filepath};
+    
+    // 方案2:如果必须使用 shell,先进行严格过滤
+    // String filterFilePath = SecurityUtil.cmdFilter(filepath);
+    // if (filterFilePath == null) {
+    //     throw new IllegalArgumentException("非法的文件路径");
+    // }
+    // String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
+    
     ProcessBuilder builder = new ProcessBuilder(cmdList);
     builder.redirectErrorStream(true);
     Process process = builder.start();
     return WebUtils.convertStreamToString(process.getInputStream());
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@GetMapping("/codeinject")
public String codeInject(String filepath) throws IOException {
String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
@GetMapping("/codeinject")
public String codeInject(String filepath) throws IOException {
// 方案1:使用参数化命令,避免 shell 解析
String[] cmdList = new String[]{"ls", "-la", filepath};
// 方案2:如果必须使用 shell,先进行严格过滤
// String filterFilePath = SecurityUtil.cmdFilter(filepath);
// if (filterFilePath == null) {
// throw new IllegalArgumentException("非法的文件路径");
// }
// String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
🤖 Prompt for AI Agents 
In src/main/java/org/joychou/controller/CommandInject2.java around lines 24 to
32, the method directly concatenates the user input filepath into a shell
command, causing a critical command injection vulnerability. To fix this, avoid
using shell command strings with concatenated user input; instead, pass the
filepath as a separate argument to ProcessBuilder without invoking a shell, or
validate and sanitize the filepath input strictly before use. This prevents
execution of arbitrary commands injected via special characters.


/**
* Host Injection
* Host: hacked by joychou;cat /etc/passwd
* http://localhost:8080/codeinject/host
*/
@GetMapping("/codeinject/host")
public String codeInjectHost(HttpServletRequest request) throws IOException {

String host = request.getHeader("host");
logger.info(host);
// 使用白名单或其他防护措施,如仅允许合法域名
String safeHost = SecurityUtil.hostFilter(host);
if (safeHost == null) {
throw new IllegalArgumentException("非法或危险的host");
}
String[] cmdList = new String[]{"sh", "-c", "curl " + safeHost};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}

@GetMapping("/codeinject/sec")
public String codeInjectSec(String filepath) throws IOException {
String filterFilePath = SecurityUtil.cmdFilter(filepath);
if (null == filterFilePath) {
return "Bad boy. I got u.";
}
String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
Comment on lines +56 to +67
Copy link

@coderabbitai coderabbitai bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

相对安全但仍需改进

此方法使用了 SecurityUtil.cmdFilter 进行输入过滤,相比其他方法更安全。根据代码片段,过滤器只允许字母、数字、下划线、斜杠、点和连字符。

但仍建议:

  1. 避免使用 shell 模式,改用参数化命令
  2. 考虑使用 Java 原生 API 替代系统命令

改进方案:

 @GetMapping("/codeinject/sec")
 public String codeInjectSec(String filepath) throws IOException {
     String filterFilePath = SecurityUtil.cmdFilter(filepath);
     if (null == filterFilePath) {
         return "Bad boy. I got u.";
     }
-    String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
+    // 使用参数化命令,避免 shell 注入
+    String[] cmdList = new String[]{"ls", "-la", filterFilePath};
     ProcessBuilder builder = new ProcessBuilder(cmdList);
     builder.redirectErrorStream(true);
     Process process = builder.start();
     return WebUtils.convertStreamToString(process.getInputStream());
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@GetMapping("/codeinject/sec")
public String codeInjectSec(String filepath) throws IOException {
String filterFilePath = SecurityUtil.cmdFilter(filepath);
if (null == filterFilePath) {
return "Bad boy. I got u.";
}
String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
@GetMapping("/codeinject/sec")
public String codeInjectSec(String filepath) throws IOException {
String filterFilePath = SecurityUtil.cmdFilter(filepath);
if (null == filterFilePath) {
return "Bad boy. I got u.";
}
// 使用参数化命令,避免 shell 注入
String[] cmdList = new String[]{"ls", "-la", filterFilePath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
🤖 Prompt for AI Agents 
In src/main/java/org/joychou/controller/CommandInject2.java lines 56 to 67, the
method uses a shell command with ProcessBuilder that concatenates user input,
which is risky despite input filtering. To fix this, avoid using the shell by
passing command and arguments as separate parameters to ProcessBuilder without
"sh -c". Alternatively, replace the system command with Java native APIs like
java.nio.file.Files to list directory contents, eliminating the need for
external commands and improving security.

}