This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push:
new c75c37d Fixed: Groovy denied list bypass causes post-auth RCE from
webtools/control/ProgramExport (OFBIZ-12571)
c75c37d is described below
commit c75c37d1ec78bb4673f06f23011d366ea79726f1
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Feb 11 10:52:43 2022 +0100
Fixed: Groovy denied list bypass causes post-auth RCE from
webtools/control/ProgramExport (OFBIZ-12571)
The 1st issue was due to use of processbuilder token. It has been added to
deniedWebShellTokens in security.properties by f2cf262 commit for OFBIZ
11948
The tokens function (for js) and class have been added since while browsing
https://github.com/tennc/webshell
As mention the related deniedWebShellTokens TODO comment: "TODO.... to be
continued
with known webshell contents... a complete allow list is impossible
anyway...
So, later a deeper review of Groovy sandbox possibilities will be done..
Thanks: Y4er for report
---
framework/security/config/security.properties | 2 +-
.../src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index b0d76c8..3c6ae64 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -252,7 +252,7 @@ allowAllUploads=
deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,scriptlet>,declaration>,expression>,<c:out,taglib,<prefix,<%@
page,\
%eval,@eval,runtime,import,passthru,shell_exec,assert,str_rot13,system,base64_decode,include,\
chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile,\
- python,perl ,/perl,ruby ,/ruby,processbuilder
+ python,perl ,/perl,ruby
,/ruby,processbuilder,function,class
#-- IMPORTANT: when you change things here you need to do accordingly in
SecurityUtilTest::webShellTokensTesting and run "gradlew test" --
#-- Popup last-visited time from database after user has logged in.
diff --git
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 5320242..9757733 100644
---
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -62,7 +62,7 @@ public class SecurityUtilTest {
//
freemarker,<script,javascript,<body,<form,<jsp:,scriptlet>,declaration>,expression>,<c:out,taglib,<prefix,<%@
page
//
%eval,@eval,runtime,import,passthru,shell_exec,assert,str_rot13,system,base64_decode,include
// chmod,mkdir,fopen,fclose,new
file,upload,getfilename,download,getoutputstring,readfile
- // python,perl ,/perl,ruby ,/ruby,processbuilder
+ // python,perl ,/perl,ruby ,/ruby,processbuilder,function,class
try {
List<String> allowed = new ArrayList<>();
@@ -114,6 +114,8 @@ public class SecurityUtilTest {
assertFalse(SecuredUpload.isValidText("ruby ", allowed));
assertFalse(SecuredUpload.isValidText("/ruby", allowed));
assertFalse(SecuredUpload.isValidText("processbuilder", allowed));
// Groovy
+ assertFalse(SecuredUpload.isValidText("function", allowed)); //
Groovy
+ assertFalse(SecuredUpload.isValidText("class", allowed)); // Groovy
} catch (IOException e) {
fail(String.format("IOException occured : %s", e.getMessage()));
