Friday, June 6, 2008

Betcha Can't Break This: A Groovy Puzzler

The last post featured a little program:

def input = args[0]
def theObject = evaluate( " new ${input} () " )

println theObject.toString()

Ricky posted an excellent comment that exposed a security problem. Consider this:

// replace the println with something mean
// e.g. deleting files

groovy ez " Object(){ println 'something nefarious' }"
A strong attempt, but it won't work because, as best I can tell, Groovy doesn't support anonymous classes. (This is not a problem, thanks to closures).


Can you find a value for args[0] that prints 'something nefarious' ? I tried for a long time before I saw an answer. The exploration is a great way to test your Groovy Kung Fu.

I will schedule an "answer post" for 2 pm Central US.

About the Title

In truth, I have no doubt that someone will break this.

The title is a play on "Betcha Can't Play This", a video segment by the magazine Guitar World. In the segment, virtuoso players show off a lick that is usually extremely fast and highly technical. Though there are wonderful exceptions, most are musically vacuous and are technical scales or arppeggios: you can tell when they play it slowly.

Interestingly, the parallel between music and software is strong: these puzzlers are pure "syntactic studies" (etudes!) that don't really offer much use to real end users with real problem domains.


Weiqi Gao said...

Groovy injection!

groovy ez "java.lang.Object(); /*Arbitrary Groovy code here*/; new java.lang.String"

will execute arbitrary Groovy code.

David Budworth said...

to specifically do as requested, you would do:
groovy ez 'String("something nefarious").toString'

Danno Ferrin (aka shemnon) said...

I'de say both work according to the terms. This is a classic Injection attack, similar things work on SQL strings. Moral of the story? Sanitize all input.

Michael Easter said...

Nicely done indeed! Yesterday afternoon, I was trying to be too fancy.

Note that the next post was written before these responses. We'll see how it matches up at 2 pm Central time.