Google Apps Script is a nice service that allows to automate tasks and add features in some Google services.
In order to achieve this, it uses Rhino, which runs on Java.
I
found that on Google Apps Scripts, several objects that are
enumerations had the "getClass" method publicly accessible, for
instance:
Utilities.Charset.getClass()
That line would return a Java Class object, and allowed me to call any of its methods, therefore I could get some information.
There
was a catch though, Google Apps Scripts implements a white-list of
which Java objects can be accessed, most of the objects returned by
interesting getClass methods were not in that white-list, so I could not
exploit almost anything.
But I kept trying, and I
discovered a nice little thing, any method returning an array was
allowed to proceed. And even though I could not open the contents of the
array (Therefore, not even list them), I found a workaround.
Every array was converted to a JavaScript array, and for some reason using the method shift on one will return the corresponding object wrapped around a white-listed class.
I
could not do much with that wrapper, if I even attempted to see its
methods (with a for-each loop) the execution of the script would fail,
the only thing I could do was sending it to Logger.log so I could see a representation of the object as a String.
This
was enough to find a few interesting things about the inner workings of
Google (Like finding a class called
"com.google.apps.maestro.server.beans.memegen.api.MemegenService"),
which seems related to the internal Google Meme Generator (Located in memegen.googleplex.com).
Timeline (UTC-3)
2016-08-15, 10:52 PM - Initial report
2016-08-16, 09:22 AM - Report triaged
2016-08-17, 10:22 AM - Bug filed
2016-08-23, 12:35 PM - Reward of $500 issued - My first Google VRP reward :)
2016-08-26, 01:24 PM - Bug fixed and verified
Comments
Post a Comment