[ofbiz-framework] branch release17.12 updated: Improved: Prevent possible post-auth RCE from webtools/control/ProgramExport (OFBIZ-12055)

Sat, 14 Nov 2020 02:58:22 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new 6bf7856  Improved: Prevent possible post-auth RCE from 
webtools/control/ProgramExport (OFBIZ-12055)
6bf7856 is described below

commit 6bf785654a1fa4ad6611736195d9a113844a850b
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Nov 13 09:34:49 2020 +0100

    Improved: Prevent possible post-auth RCE from 
webtools/control/ProgramExport (OFBIZ-12055)
    
    This was reported to the security team by Shuibo Ye <shuib...@gmail.com>.
    We did not create a CVE because it's a post-auth "vulnerability"
    
    Thanks: Shuibo Ye
---
 framework/webtools/groovyScripts/entity/ProgramExport.groovy | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/framework/webtools/groovyScripts/entity/ProgramExport.groovy 
b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
index d1e59eb..41d29e6 100644
--- a/framework/webtools/groovyScripts/entity/ProgramExport.groovy
+++ b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
@@ -46,7 +46,7 @@ EntityFindOptions findOptions = new EntityFindOptions()
 findOptions.setMaxRows(3)
 
 List products = delegator.findList("Product", null, null, null, findOptions, 
false)
-if (products != null) {  
+if (products != null) {
     recordValues.addAll(products)
 }
 
@@ -73,6 +73,13 @@ def shell = new GroovyShell(loader, binding, configuration)
 
 if (UtilValidate.isNotEmpty(groovyProgram)) {
     try {
+        // TODO more can be added...
+        if (groovyProgram.contains("new File")
+                || groovyProgram.contains(".jsp")
+                || groovyProgram.contains("<%=")) {
+            request.setAttribute("_ERROR_MESSAGE_", "Not executed for security 
reason")
+            return
+        }
         shell.parse(groovyProgram)
         shell.evaluate(groovyProgram)
         recordValues = shell.getVariable("recordValues")
@@ -93,5 +100,5 @@ if (UtilValidate.isNotEmpty(groovyProgram)) {
     } catch(Exception e) {
         request.setAttribute("_ERROR_MESSAGE_", e)
         return
-    } 
+    }
 }

Reply via email to