CVE-2022-22963

https://github.com/vulhub/vulhub/blob/master/spring/CVE-2022-22963/README.zh-cn.md

https://paper.seebug.org/1977/

https://sourcegraph.com/github.com/spring-cloud/spring-cloud-function/-/commit/03db9baee65ba0ddcd2c2cbc1f4ebc3646a6872e?visible=3

概述

Spring Cloud Function SpEL表达式命令注入（CVE-2022-22963）

Spring Cloud Function 提供了一个通用的模型，用于在各种平台上部署基于函数的软件，包括像 Amazon AWS Lambda 这样的 FaaS（函数即服务，function as a service）平台。

影响版本：3.0.0 <= Spring Cloud Function <= 3.2.2

分析

org.springframework.cloud.function.context.config.RoutingFunction#route

	private Object route(Object input, boolean originalInputIsPublisher) {
		FunctionInvocationWrapper function = null;

		if (input instanceof Message) {
			Message<?> message = (Message<?>) input;
			if (this.routingCallback != null) {
				FunctionRoutingResult routingResult = this.routingCallback.routingResult(message);
				if (routingResult != null) {
					if (StringUtils.hasText(routingResult.getFunctionDefinition())) {
						function = this.functionFromDefinition(routingResult.getFunctionDefinition());
					}
					if (routingResult.getMessage() != null) {
						message = routingResult.getMessage();
					}
				}
			}
			if (function == null) {
				if (StringUtils.hasText((String) message.getHeaders().get("spring.cloud.function.definition"))) {
					function = functionFromDefinition((String) message.getHeaders().get("spring.cloud.function.definition"));
					if (function.isInputTypePublisher()) {
						this.assertOriginalInputIsNotPublisher(originalInputIsPublisher);
					}
				}
				else if (StringUtils.hasText((String) message.getHeaders().get("spring.cloud.function.routing-expression"))) {
					function = this.functionFromExpression((String) message.getHeaders().get("spring.cloud.function.routing-expression"), message);
					if (function.isInputTypePublisher()) {
						this.assertOriginalInputIsNotPublisher(originalInputIsPublisher);
					}
				}
				else if (StringUtils.hasText(functionProperties.getRoutingExpression())) {
					function = this.functionFromExpression(functionProperties.getRoutingExpression(), message);
				}
				else if (StringUtils.hasText(functionProperties.getDefinition())) {
					function = this.functionFromDefinition(functionProperties.getDefinition());
				}
				else {
					throw new IllegalStateException("Failed to establish route, since neither were provided: "
							+ "'spring.cloud.function.definition' as Message header or as application property or "
							+ "'spring.cloud.function.routing-expression' as application property. Incoming message: " + input);
				}
			}
		}
		else if (input instanceof Publisher) {
			if (function == null) {
				if (StringUtils.hasText(functionProperties.getDefinition())) {
					function = functionFromDefinition(functionProperties.getDefinition());
				}
				else if (StringUtils.hasText(functionProperties.getRoutingExpression())) {
					function = this.functionFromExpression(functionProperties.getRoutingExpression(), input);
				}
				else {
					return input instanceof Mono
							? Mono.from((Publisher<?>) input).map(v -> route(v, originalInputIsPublisher))
									: Flux.from((Publisher<?>) input).map(v -> route(v, originalInputIsPublisher));
				}
			}
		}
		else {
			this.assertOriginalInputIsNotPublisher(originalInputIsPublisher);
			if (StringUtils.hasText(functionProperties.getRoutingExpression())) {
				function = this.functionFromExpression(functionProperties.getRoutingExpression(), input);
			}
			else
			if (StringUtils.hasText(functionProperties.getDefinition())) {
				function = functionFromDefinition(functionProperties.getDefinition());
			}
			else {
				throw new IllegalStateException("Failed to establish route, since neither were provided: "
						+ "'spring.cloud.function.definition' as Message header or as application property or "
						+ "'spring.cloud.function.routing-expression' as application property.");
			}
		}

		return function.apply(input);
	}

function = this.functionFromExpression((String) message.getHeaders().get("spring.cloud.function.routing-expression"), message);

org.springframework.cloud.function.context.config.RoutingFunction#functionFromExpression

漏洞就是通过spring.cloud.function.routing-expressionheader 的值，解析成 spel 表达式，并且上下文是SpelExpressionParser，然后getValue 被执行了。

修复分析

functionFromExpression增加isViaHeader的参数，用来判断是否是用户传入的 header，如果是的话就使用SimpleEvaluationContext 进行执行。