### Example Gadget Chain Discovered in Commons Collections Source: https://github.com/5wimming/gadgetinspector/blob/main/README.md An example of a deserialization gadget chain identified by Gadget Inspector when analyzing `commons-collections-3.2.1.jar`. This output illustrates the sequence of method calls that form a potential exploit path, starting from an `InvocationHandler` and leading to arbitrary method execution. ```Text com/sun/corba/se/spi/orbutil/proxy/CompositeInvocationHandlerImpl.invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object; (-1) com/sun/corba/se/spi/orbutil/proxy/CompositeInvocationHandlerImpl.invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object; (0) org/apache/commons/collections/map/DefaultedMap.get(Ljava/lang/Object;)Ljava/lang/Object; (0) org/apache/commons/collections/functors/InvokerTransformer.transform(Ljava/lang/Object;)Ljava/lang/Object; (0) java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0) ``` -------------------------------- ### Missed Gadget Chain Example with Reflection in Java Source: https://github.com/5wimming/gadgetinspector/blob/main/README.md This Java code illustrates a type of gadget chain that gadget inspector might miss due to its limitations in following reflection calls. The 'readObject' method uses reflection to invoke 'System.exit(0)', a behavior that could be dangerous but is not currently tracked by the tool's static analysis. ```Java public class MySerializableClass implements Serializable { public void readObject(ObjectInputStream ois) { System.class.getMethod("exit", int.class).invoke(null, 0); } } ``` -------------------------------- ### Example Gadget Chain Identified by Gadget Inspector Source: https://github.com/5wimming/gadgetinspector/blob/main/README.md This snippet illustrates a potential gadget chain identified by the gadgetinspector tool. It shows a sequence of method calls across different libraries, culminating in a 'Method.invoke()' call, which the tool considers an 'interesting' side effect. This chain demonstrates how various application components can be linked to form a deserialization vulnerability. ```Java net/sf/jasperreports/charts/design/JRDesignPieDataset.readObject(Ljava/io/ObjectInputStream;)V (1) org/apache/commons/collections/FastArrayList.add(Ljava/lang/Object;)Z (0) java/util/ArrayList.clone()Ljava/lang/Object; (0) org/jfree/data/KeyToGroupMap.clone()Ljava/lang/Object; (0) org/jfree/data/KeyToGroupMap.clone(Ljava/lang/Object;)Ljava/lang/Object; (0) java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0) ``` -------------------------------- ### False Positive Gadget Chain Example in Java Deserialization Source: https://github.com/5wimming/gadgetinspector/blob/main/README.md This Java code demonstrates a scenario that gadget inspector might incorrectly identify as a gadget chain. Despite containing a 'System.exit(0)' call, the conditional 'if (false)' makes the code unreachable, leading to a false positive. This highlights the tool's limitation in solving for branch conditions. ```Java public class MySerializableClass implements Serializable { public void readObject(ObjectInputStream ois) { if (false) System.exit(0); ois.defaultReadObject(); } } ``` -------------------------------- ### Build and Run Gadget Inspector Source: https://github.com/5wimming/gadgetinspector/blob/main/README.md Instructions to build the Gadget Inspector application using Gradle and then run the compiled JAR. The `shadowJar` task creates a single executable JAR, and the `java -jar` command executes it with specified arguments. ```Shell ./gradlew shadowJar ``` ```Shell java -jar build/libs/gadget-inspector-all.jar ``` -------------------------------- ### Analyze Commons Collections JAR with Gadget Inspector Source: https://github.com/5wimming/gadgetinspector/blob/main/README.md Demonstrates how to download the `commons-collections-3.2.1.jar` and then run Gadget Inspector against it, allocating 2GB of heap memory. This command initiates the analysis process to discover gadget chains within the specified library. ```Shell wget http://central.maven.org/maven2/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar java -Xmx2G -jar build/libs/gadget-inspector-all.jar commons-collections-3.2.1.jar ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.