Critical severityCISA KEVNVD Advisory· Published Apr 13, 2022· Updated Oct 21, 2025
Improper Control of Generation of Code in jai-ext
CVE-2022-24816
Description
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
it.geosolutions.jaiext.jiffle:jt-jiffleMaven | < 1.1.22 | 1.1.22 |
it.geosolutions.jaiext.jiffle:jt-jiffle-languageMaven | < 1.1.22 | 1.1.22 |
Affected products
1- geosolutions-it/jai-extv5Range: < 1.1.22
Patches
1cb1d6565d389Validate Jiffle input variable names according to grammar, escape javadocs when including Jiffle sources in output
4 files changed · +188 −18
jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/Jiffle.java+30 −14 modified@@ -128,7 +128,7 @@ public class Jiffle { public static final Logger LOGGER = Logger.getLogger(Jiffle.class.getName()); - private static Pattern BLOCK_COMMENT_STRIPPER = Pattern.compile("(?:/\\*(?:[^*]|(?:\\*+[^*/]))*\\*+/)"); + boolean includeScript; /** * Constants for runtime model. Jiffle supports two runtime models: @@ -272,7 +272,20 @@ public Jiffle(File scriptFile, Map<String, Jiffle.ImageRole> params) setImageParams(params); compile(); } - + + /** + * Returns true if the script is to be included in the output + * + * @return + */ + public boolean isIncludeScript() { + return includeScript; + } + + public void setIncludeScript(boolean includeScript) { + this.includeScript = includeScript; + } + /** * Sets the script. Calling this method will clear any previous script * and runtime objects. @@ -481,7 +494,7 @@ public JiffleDirectRuntime getRuntimeInstance() throws */ public JiffleRuntime getRuntimeInstance(Jiffle.RuntimeModel model) throws it.geosolutions.jaiext.jiffle.JiffleException { - return createRuntimeInstance(model, getRuntimeBaseClass(model), false); + return createRuntimeInstance(model, getRuntimeBaseClass(model), includeScript); } /** @@ -512,7 +525,7 @@ public <T extends JiffleRuntime> T getRuntimeInstance(Class<T> baseClass) throws " does not implement a required Jiffle runtime interface"); } - return (T) createRuntimeInstance(model, baseClass, false); + return (T) createRuntimeInstance(model, baseClass, includeScript); } private JiffleRuntime createRuntimeInstance(RuntimeModel model, Class<? extends JiffleRuntime> runtimeClass, boolean scriptInDocs) throws @@ -558,7 +571,14 @@ private JiffleRuntime createRuntimeInstance(RuntimeModel model, Class<? extends return runtime; } catch (Exception ex) { - throw new it.geosolutions.jaiext.jiffle.JiffleException("Runtime source error for source: " + runtimeSource, ex); + // do not display the source code in indirect runtime exception messages + if (model == RuntimeModel.INDIRECT) { + if (LOGGER.isLoggable(Level.FINE)) { + LOGGER.fine("Runtime source error for source: " + runtimeSource); + } + throw new JiffleException("Runtime source error", ex); + } + throw new JiffleException("Runtime source error for source: " + runtimeSource, ex); } } @@ -613,22 +633,17 @@ private Class<? extends JiffleRuntime> getRuntimeBaseClass(RuntimeModel model) { return baseClass; } - private String createRuntimeSource(RuntimeModel model, String baseClassName, boolean scriptInDocs) { + private String createRuntimeSource(RuntimeModel model, String baseClassName, + boolean scriptInDocs) { + SourceWriter writer = new SourceWriter(model); if (scriptInDocs) { - throw new RuntimeException("Do no know how to clean the block comments yet"); + writer.setScript(theScript); } - - SourceWriter writer = new SourceWriter(model); - writer.setScript(stripComments(theScript)); writer.setBaseClassName(baseClassName); scriptModel.write(writer); return writer.getSource(); } - private String stripComments(String theScript) { - return BLOCK_COMMENT_STRIPPER.matcher(theScript).replaceAll(""); - } - /** * Initializes this object's name and runtime base class. */ @@ -648,6 +663,7 @@ private void clearCompiledObjects() { /** * Builds the parse tree from the script. + * * @param script */ private static Jiffle.Result<ParseTree> parseScript(String script) {
jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/parser/node/Script.java+24 −4 modified@@ -52,13 +52,17 @@ import it.geosolutions.jaiext.jiffle.parser.UndefinedOptionException; import java.util.Collections; -import java.util.List; import java.util.Map; import java.util.Objects; import java.util.Set; +import java.util.regex.Pattern; /** @author michael */ public class Script implements Node { + + /** <pre>ID : (Letter) (Letter | UNDERSCORE | Digit | Dot)*</pre> */ + private static final Pattern VALID_IDENTIFIER = Pattern.compile("^[a-zA-Z][_a-zA-Z0-9\\.]*$"); + private final StatementList stmts; private final RepeatedReadOptimizer readOptimizer; private Map<String, String> options; @@ -79,6 +83,20 @@ public Script( this.globals = globals; this.stmts = stmts; this.readOptimizer = readOptimizer; + validate(); + } + + private void validate() { + for (String name : sourceImages) { + if (!VALID_IDENTIFIER.matcher(name).matches()) { + throw new JiffleParserException("Invalid source image name: " + name); + } + } + for (String name : destImages) { + if (!VALID_IDENTIFIER.matcher(name).matches()) { + throw new JiffleParserException("Invalid dest image name: " + name); + } + } } public void write(SourceWriter w) { @@ -97,11 +115,13 @@ public void write(SourceWriter w) { String[] lines = script.split("\n"); w.line("/**"); w.line(" * Java runtime class generated from the following Jiffle script: "); - w.line(" *<code>"); + w.line(" *<pre>"); for (String line : lines) { - w.append(" * ").append(line).newLine(); + // In case the script itself includes comments, they best to be escaped + String escaped = line.replace("*/", "*/").replace("/*", "/*"); + w.append(" * ").append(escaped).newLine(); } - w.line(" *</code>"); + w.line(" *</pre>"); w.line(" */"); }
jt-jiffle/jt-jiffle-language/src/test/java/it/geosolutions/jaiext/jiffle/runtime/JiffleRuntimeTest.java+61 −0 added@@ -0,0 +1,61 @@ +/* JAI-Ext - OpenSource Java Advanced Image Extensions Library + * http://www.geo-solutions.it/ + * Copyright 2018 GeoSolutions + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package it.geosolutions.jaiext.jiffle.runtime; + +import it.geosolutions.jaiext.jiffle.Jiffle; +import it.geosolutions.jaiext.jiffle.JiffleException; +import org.junit.Test; + +import java.util.HashMap; +import java.util.Map; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +public class JiffleRuntimeTest { + + @Test + public void testSkipSource() throws Exception { + Jiffle jiffle = getJiffleWithComment(); + String source = jiffle.getRuntimeSource(false); + + // by default, it does not contain the source + assertFalse(source.contains("This is a comment")); + } + + @Test + public void testEscapeSource() throws Exception { + Jiffle jiffle = getJiffleWithComment(); + String source = jiffle.getRuntimeSource(true); + + // source is in the javadocs, and properly escaped + assertTrue(source.contains("* /* This is a comment */")); + assertTrue(source.contains("* dest=10;")); + } + + private Jiffle getJiffleWithComment() throws JiffleException { + String script = "/* This is a comment */\ndest=10;"; + Jiffle jiffle = new Jiffle(); + jiffle.setScript(script); + Map<String, Jiffle.ImageRole> params = new HashMap<>(); + params.put("dest", Jiffle.ImageRole.DEST); + jiffle.setImageParams(params); + + jiffle.compile(); + return jiffle; + } +}
jt-jiffle/jt-jiffle-language/src/test/java/it/geosolutions/jaiext/jiffle/runtime/ScriptTest.java+73 −0 added@@ -0,0 +1,73 @@ +/* JAI-Ext - OpenSource Java Advanced Image Extensions Library + * http://www.geo-solutions.it/ + * Copyright 2018 GeoSolutions + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package it.geosolutions.jaiext.jiffle.runtime; + +import it.geosolutions.jaiext.jiffle.Jiffle; +import it.geosolutions.jaiext.jiffle.JiffleException; +import it.geosolutions.jaiext.jiffle.parser.JiffleParserException; +import org.junit.Assert; +import org.junit.Test; + +import java.util.HashMap; +import java.util.Map; + +import static org.junit.Assert.assertEquals; + +public class ScriptTest { + + @Test + public void testValidateSourceImages() throws Exception { + checkInvalidSourceName("a b"); + checkInvalidSourceName("99a"); + checkInvalidSourceName("#abc"); + checkInvalidSourceName("/abc"); + checkInvalidSourceName("{abc"); + } + + @Test + public void testValidateDestinationImages() throws Exception { + checkInvalidDestinationName("a b"); + checkInvalidDestinationName("99a"); + checkInvalidDestinationName("#abc"); + checkInvalidDestinationName("/abc"); + checkInvalidDestinationName("{abc"); + } + + private void checkInvalidSourceName(String name) throws JiffleException { + Jiffle jiffle = new Jiffle(); + jiffle.setScript("dst=0;"); + Map<String, Jiffle.ImageRole> params = new HashMap<>(); + params.put(name, Jiffle.ImageRole.SOURCE); + jiffle.setImageParams(params); + + JiffleParserException exception = + Assert.assertThrows(JiffleParserException.class, () -> jiffle.compile()); + assertEquals("Invalid source image name: " + name, exception.getMessage()); + } + + private void checkInvalidDestinationName(String name) throws JiffleException { + Jiffle jiffle = new Jiffle(); + jiffle.setScript("dst=0;"); + Map<String, Jiffle.ImageRole> params = new HashMap<>(); + params.put(name, Jiffle.ImageRole.DEST); + jiffle.setImageParams(params); + + JiffleParserException exception = + Assert.assertThrows(JiffleParserException.class, () -> jiffle.compile()); + assertEquals("Invalid dest image name: " + name, exception.getMessage()); + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-v92f-jx6p-73rxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24816ghsaADVISORY
- github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cbghsax_refsource_MISCWEB
- github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rxghsax_refsource_CONFIRMWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
News mentions
0No linked articles in our index yet.