[Security Vulnerability] protoc-gen-validate Java Code Injection

[hayageek]

Summary

Unescaped proto string values (GetConst, GetPrefix, GetContains, GetNotContains, GetSuffix) are interpolated into Java string literals in generated validator code. A malicious .proto file with crafted validation rules causes arbitrary Java code execution when the generated code is compiled and run.

Description

• Type: Code injection in generated Java code
• Source: Proto validation rules (string.const, string.prefix, string.suffix, string.contains, string.not_contains) from user-controlled .proto files
• Sink: Java string literals in templates/java/string.go (lines 27, 57, 60, 63, 66) — values embedded as {{ $r.GetConst }} etc. without javaStringEscape
• Impact: Arbitrary Java execution. Example payload "); System.exit(0); // breaks out of the string literal and executes injected code when the validator's assertValid() is invoked. Because java.lang.Runtime requires no import, injected statements can also run host commands—for example: Process p = Runtime.getRuntime().exec(new String[] { "/bin/sh", "-c", "echo hello" }); p.waitFor();—which is full RCE at the JVM/OS level, not limited to System.exit.

Affected

• bufbuild/protoc-gen-validate (Java code generation path)
• Affected file: templates/java/string.go

PoC

For POC, Check the Gist: https://gist.github.com/hayageek/6b2d3518bcf8d35f15940137862cef44

[CLAassistant]

All committers have signed the CLA.