app("APACHE COMMONS TEXT"):
    requires(version: "ARMR/2.2")

    /***************************************************************************
        CVE-2022-42889 (APACHE COMMONS TEXT)

        CVSS 3.1 Summary:
            Base Score              | 5.3 MEDIUM
            Attack Vector           | Network
            Attack Complexity       | Low
            Privileges Required     | None
            User Interaction        | None
            Scope                   | Unchanged
            Confidentiality Impact  | High
            Integrity Impact        | High
            Availability Impact     | High

        Description:
            Apache Commons Text performs variable interpolation, allowing properties
             to be dynamically evaluated and expanded. The standard format for
             interpolation is "${prefix:name}", where "prefix" is used to locate an instance
             of org.apache.commons.text.lookup.StringLookup that performs the
             interpolation. Starting with version 1.5 and continuing through 1.9, the set of
             default Lookup instances included interpolators that could result in arbitrary
             code execution or contact with remote servers. These lookups are: - "script" -
             execute expressions using the JVM script execution engine (javax.script) -
             "dns" - resolve dns records - "url" - load values from urls, including from
             remote servers Applications using the interpolation defaults in the affected
             versions may be vulnerable to remote code execution or unintentional
             contact with remote servers if untrusted configuration values are used. Users
             are recommended to upgrade to Apache Commons Text 1.10.0, which
             disables the problematic interpolators by default.

        Resources:
            https://nvd.nist.gov/vuln/detail/CVE-2022-42889

        Affected Operating System:
            Any

        Affected Versions:
            1.5, 1.6, 1.7, 1.8, 1.9

        Fixed Versions:
            1.10

        Tested Versions:
            1.5, 1.6, 1.7, 1.8, 1.9

        Protection Provided:
            Functional

        Patch Version:
            1.0
    ***************************************************************************/

    patch("CVE-2022-42889 :01"):
        function("org/apache/commons/text/lookup/DnsStringLookup.lookup(Ljava/lang/String;)Ljava/lang/String;")
        entry()

        code(language: java, import: []):

            public void patch(JavaFrame frame) {
                String key = frame.loadStringVariable(1);

                ArmrEvent event = ArmrEvent.load("Execute Rule", "High");
                event.addExtension("msg", "Attempt made to perform dns lookup");
                event.addExtension("payload", key);
                event.commit();

                frame.returnObject("dns:" + key);
            }

        endcode
    endpatch

    patch("CVE-2022-42889 :02"):
        function("org/apache/commons/text/lookup/UrlStringLookup.lookup(Ljava/lang/String;)Ljava/lang/String;")
        entry()

        code(language: java, import: []):

            public void patch(JavaFrame frame) {
                String key = frame.loadStringVariable(1);

                ArmrEvent event = ArmrEvent.load("Execute Rule", "High");
                event.addExtension("msg", "Attempt made to perform url lookup");
                event.addExtension("payload", key);
                event.commit();

                frame.returnObject("url:" + key);
            }

        endcode
    endpatch

    patch("CVE-2022-42889 :03"):
        function("org/apache/commons/text/lookup/ScriptStringLookup.lookup(Ljava/lang/String;)Ljava/lang/String;")
        entry()

        code(language: java, import: []):

            public void patch(JavaFrame frame) {
                String key = frame.loadStringVariable(1);

                ArmrEvent event = ArmrEvent.load("Execute Rule", "High");
                event.addExtension("msg", "Attempt made to perform script lookup");
                event.addExtension("payload", key);
                event.commit();

                frame.returnObject("script:" + key);
            }

        endcode
    endpatch

endapp
