Headline
CVE-2021-21244: fix issue #88: Users able to edit build spec can execute arbitrary java · theonedev/onedev@4f5dc6f
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.
@@ -60,6 +60,7 @@
import org.hibernate.collection.internal.PersistentBag;
import org.hibernate.exception.ConstraintViolationException;
import org.hibernate.type.Type;
import org.hibernate.validator.messageinterpolation.ParameterMessageInterpolator;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Lists;
@@ -309,7 +310,10 @@ protected void configure() {
@Override
public ValidatorFactory get() {
Configuration<?> configuration = Validation.byDefaultProvider().configure();
Configuration<?> configuration = Validation
.byDefaultProvider()
.configure()
.messageInterpolator(new ParameterMessageInterpolator());
return configuration.buildValidatorFactory();
}