Betcha Can't Break This: A Groovy Puzzler
The last post featured a little program:
def input = args[0]
def theObject = evaluate( " new ${input} () " )
println theObject.toString()
Ricky posted an excellent comment that exposed a security problem. Consider this:
A strong attempt, but it won't work because, as best I can tell, Groovy doesn't support anonymous classes. (This is not a problem, thanks to closures).
// replace the println with something mean
// e.g. deleting files
groovy ez " Object(){ println 'something nefarious' }"
Challenge
Can you find a value for args[0] that prints 'something nefarious' ? I tried for a long time before I saw an answer. The exploration is a great way to test your Groovy Kung Fu.
I will schedule an "answer post" for 2 pm Central US.
About the Title
In truth, I have no doubt that someone will break this.
The title is a play on "Betcha Can't Play This", a video segment by the magazine Guitar World. In the segment, virtuoso players show off a lick that is usually extremely fast and highly technical. Though there are wonderful exceptions, most are musically vacuous and are technical scales or arppeggios: you can tell when they play it slowly.
Interestingly, the parallel between music and software is strong: these puzzlers are pure "syntactic studies" (etudes!) that don't really offer much use to real end users with real problem domains.
4 comments:
Groovy injection!
groovy ez "java.lang.Object(); /*Arbitrary Groovy code here*/; new java.lang.String"
will execute arbitrary Groovy code.
to specifically do as requested, you would do:
groovy ez 'String("something nefarious").toString'
I'de say both work according to the terms. This is a classic Injection attack, similar things work on SQL strings. Moral of the story? Sanitize all input.
Nicely done indeed! Yesterday afternoon, I was trying to be too fancy.
Note that the next post was written before these responses. We'll see how it matches up at 2 pm Central time.
Post a Comment