This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 70d3916 Improved: Prevent possible post-auth RCE from
webtools/control/ProgramExport (OFBIZ-12055)
70d3916 is described below
commit 70d3916d4fe8aa250a1cbfc2c5ea81bceb0b3c47
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Nov 13 09:34:49 2020 +0100
Improved: Prevent possible post-auth RCE from
webtools/control/ProgramExport (OFBIZ-12055)
This was reported to the security team by Shuibo Ye <shuib...@gmail.com>.
We did not create a CVE because it's a post-auth "vulnerability"
Thanks: Shuibo Ye
---
framework/webtools/groovyScripts/entity/ProgramExport.groovy | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/framework/webtools/groovyScripts/entity/ProgramExport.groovy
b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
index e78ae26..e06cd96 100644
--- a/framework/webtools/groovyScripts/entity/ProgramExport.groovy
+++ b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
@@ -49,7 +49,7 @@ EntityFindOptions findOptions = new EntityFindOptions()
findOptions.setMaxRows(3)
List products = delegator.findList("Product", null, null, null, findOptions,
false)
-if (products != null) {
+if (products != null) {
recordValues.addAll(products)
}
@@ -85,6 +85,13 @@ def shell = new GroovyShell(loader, binding, configuration)
if (groovyProgram) {
try {
+ // TODO more can be added...
+ if (groovyProgram.contains("new File")
+ || groovyProgram.contains(".jsp")
+ || groovyProgram.contains("<%=")) {
+ request.setAttribute("_ERROR_MESSAGE_", "Not executed for security
reason")
+ return
+ }
shell.parse(groovyProgram)
shell.evaluate(groovyProgram)
recordValues = shell.getVariable("recordValues")
@@ -105,5 +112,5 @@ if (groovyProgram) {
} catch(Exception e) {
request.setAttribute("_ERROR_MESSAGE_", e)
return
- }
+ }
}
