`Invocation` should not invoke arbitrary method

[springkill]

If an application developer passes non-sanitized string to OGNL or similar technologies (which you should never do), an attacker can use org.apache.ibatis.plugin.Invocation in the app's classpath to execute arbitrary code (RCE).

[harawata]

This seems like a mistake or spam. Closing.

[springkill]

I would like to know if I want to report this vulnerability, which email address should I provide the information to? @harawata

[harawata]

@springkill ,

Before I let you know my email address, let me check a few things.

For JDK's deserialization vulnerability, you should use JEP-290 filter. See #2079 .

I have received a report about RCE when using SQL provider.
But the reporter used a user input string directly in the SQL returned from a provider, so it was not a MyBatis vulnerability.
Is this not the case you are reporting?

[springkill]

@harawata ,
The issue I found is not a deserialisation vulnerability, it works on JDK8u402 and applies to the latest version of mybatis3.

[harawata]

Okay, send it to my Gmail. The account name is the same as GitHub's.

[wuwen5]

@harawata Because I have extended the interception support for ResultSet, it has currently failed. Can we add ResultSet type support or support whitelist type configuration ?

@Intercepts({@Signature(type = ResultSet.class, method = "next", args = {}),
        @Signature(type = ResultSet.class, method = "close", args = {})})
@Slf4j
public class MoreRowCheckInterceptor implements Interceptor {
}

public class StatementProxy implements InvocationHandler {
  ...
   public Object invoke(Object proxy, Method method, Object[] params) throws Throwable {
        try {
            if (EXECUTE_QUERY.equals(method.getName()) || GET_RESULT_SET.equals(method.getName())) {
                final ResultSet rs = (ResultSet) method.invoke(statement, params);
                return rs == null ? null : interceptorChain.pluginAll(rs);
            } else {
                return method.invoke(statement, params);
            }
        } catch (Throwable t) {
            throw ExceptionUtil.unwrapThrowable(t);
        }
    }
  ....
}