Description
### SummaryA server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability.If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended.The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see [GHSA-3mcp-9wr4-cjqf](https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf)/[CVE-2020-5245](https://github.com/advisories/GHSA-3mcp-9wr4-cjqf)) unfortunately didn't fix the underlying issue completely.### ImpactThis issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**.### PatchesThe issue has been fixed in **dropwizard-validation** **1.3.21** and **2.0.3** or later. We strongly recommend upgrading to one of these versions.The evaluation of EL expressions has been disabled by default now.In order to use some interpolation in the violation messages added to [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html), it has to be explicitly allowed by setting [`SelfValidating#escapeExpressions()`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html#escapeExpressions--) to `false`.It is also recommended to use the `addViolation` methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3:* [`ViolationCollector#addViolation(String, Map<String, Object>`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.util.Map-)* [`ViolationCollector#addViolation(String, String, Map<String, Object>`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.util.Map-)* [`ViolationCollector#addViolation(String, String, Integer, Map<String, Object>`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.Integer-java.lang.String-java.util.Map-)* [`ViolationCollector#addViolation(String, String, String, Map<String, Object>`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.lang.String-java.util.Map-)### WorkaroundsIf you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html).Example:```java@SelfValidationpublic void validateFullName(ViolationCollector col) { if (fullName.contains("_")) { // Sanitize fullName variable by escaping relevant characters such as "$" col.addViolation("Full name contains invalid characters: " + sanitizeJavaEl(fullName)); }}```See also:https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java### References* https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf* https://github.com/dropwizard/dropwizard/pull/3208* https://github.com/dropwizard/dropwizard/pull/3209* https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext### For more informationIf you have any questions or comments about this advisory:* Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new)* Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev)### Security contactIf you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy):https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability