Escape */ in block-comment doc generators to prevent code injection (Java, Kotlin)#9084
Open
kagancapar wants to merge 1 commit into
Open
Escape */ in block-comment doc generators to prevent code injection (Java, Kotlin)#9084kagancapar wants to merge 1 commit into
kagancapar wants to merge 1 commit into
Conversation
… Kotlin KMP) PR google#8820 fixed doc comment injection for the TypeScript generator by escaping */ sequences inside /** ... */ blocks. The same vulnerability exists in all generators that use block comments for documentation: - code_generators.cpp (shared GenComment, used by Java) - idl_gen_kotlin.cpp (custom GenerateComment) - idl_gen_kotlin_kmp.cpp (custom GenerateComment) A crafted .fbs doc comment like: /// */ static { System.out.println(PWNED); } /* breaks out of the Javadoc block and injects a static initializer that executes when the generated class is loaded. This applies the same escape (*/ -> *\/) used in the TypeScript fix. Generators using line comments (C++, C#, Go, Rust, Swift, PHP, Python) are not affected.
github-actions
Bot
added
c++
codegen
Author
|
Verified end-to-end on latest master (25.12.19): Before fix — field doc comment in table Monster {
/// */ static { System.out.println(INJECTED); } /*
name:string;
}
public final class Monster extends Table {
/**
* */ static { System.out.println(INJECTED); } /*
*/
public String name() { ... }The After fix — same input produces: /**
* *\/ static { System.out.println(INJECTED); } /*
*/
This is the same bug class as #8820 (TypeScript), which was merged. Java/Kotlin/Kotlin KMP were not covered by that fix. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR #8820 fixed a doc comment injection vulnerability in the TypeScript generator where
*/in a doc comment could close the/** ... */JSDoc block and inject arbitrary top-level code. However, the same vulnerability exists in all other generators that use block comments for documentation: Java, Kotlin, and Kotlin KMP.Attack chain
.fbsschema:flatc --java(or--kotlin)static {}initializer inside the class bodyProof of concept (Java output before fix)
The
*/on line 2 closes the Javadoc comment. Thestatic { ... }block becomes real Java code inside theMonsterclass. The/*re-opens a block comment to absorb the remaining*/. The static initializer executes automatically whenMonsteris loaded.Fix
Escape
*/to*\/in doc comment lines when the generator uses block comments (/** ... */), consistent with the TypeScript fix in #8820. The escape is only applied when a block comment config is active (i.e.,first_line != nullptr), so line-comment generators (///,#) are unaffected.Files changed:
code_generators.cpp— sharedGenComment()utility (used by Java)idl_gen_kotlin.cpp— customGenerateComment()idl_gen_kotlin_kmp.cpp— customGenerateComment()Not affected (use line comments): C++, C#, Go, Rust, Swift, PHP, Python
Related PRs