[ofbiz-framework] branch release17.12 updated: Improved: Create a deny list to reject webshell tokens (OFBIZ-12324)

Thu, 23 Sep 2021 06:07:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

pgil pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new d02386d  Improved: Create a deny list to reject webshell tokens 
(OFBIZ-12324)
d02386d is described below

commit d02386d2d1d4e0524c320201730ab3a09408b6e4
Author: Gil Portenseigne <[email protected]>
AuthorDate: Wed Sep 22 15:03:30 2021 +0200

    Improved: Create a deny list to reject webshell tokens (OFBIZ-12324)
    
    Improve readability using stream api
    Fix deniedWebShellTokens property where some blank space where removed
    and '// python' comment was inlined.
---
 framework/security/config/security.properties      |  4 +++-
 .../org/apache/ofbiz/security/SecuredUpload.java   | 26 +++-------------------
 2 files changed, 6 insertions(+), 24 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 5441a64..b576ae3 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -188,7 +188,9 @@ allowAllUploads=
 #-- eg: 
https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/
 #-- "freemarker" should be OK, should not be used in Freemarker templates, not 
part of the syntax.
 #-- Else "template.utility.Execute" is a good replacement but not as much 
catching, who knows...
-deniedWebShellTokens=freemarker,import=\"java,runtime.getruntime().exec(,<%@page,<script,<body>,<form,php,javascript,%eval,@eval,importos//Python,passthru,exec,shell_exec,assert,str_rot13,system,phpinfo,base64_decode,chmod,mkdir,fopen,fclose,newfile,import,upload,getfilename,download,getoutputstring,readfile
+deniedWebShellTokens=freemarker,import=\"java,runtime.getruntime().exec(,<%@ 
page,<script,<body>,<form,php,\
+  javascript,%eval,@eval,import 
os,passthru,exec,shell_exec,assert,str_rot13,system,phpinfo,base64_decode,chmod,mkdir,\
+  fopen,fclose,new 
file,import,upload,getfilename,download,getoutputstring,readfile
 
 #-- If you need to use localhost or 127.0.0.1 in textareas URLs then you can 
uncomment the allowedProtocols property, here given as an example
 #-- You may also put other protocols you want to use, instead or with those
diff --git 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index a5c7f50..afa2f7b 100644
--- 
a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ 
b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -39,7 +39,6 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
-import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
 import java.util.UUID;
@@ -622,12 +621,7 @@ public class SecuredUpload {
     }
 
     public static boolean isValidText(String content, List<String> allowed) 
throws IOException {
-        for (String token : DENIEDWEBSHELLTOKENS) {
-            if (!isValid(content, token, allowed)) {
-                return false;
-            }
-        }
-        return true;
+        return DENIEDWEBSHELLTOKENS.stream().allMatch(token -> 
isValid(content, token, allowed));
     }
 
     private static boolean isValid(String content, String string, List<String> 
allowed) {
@@ -643,26 +637,12 @@ public class SecuredUpload {
     }
 
     private static List<String> deniedFileExtensions() {
-        List<String> deniedFileExtensions = new LinkedList<>();
         String deniedExtensions = UtilProperties.getPropertyValue("security", 
"deniedFileExtensions");
-        if (UtilValidate.isNotEmpty(deniedExtensions)) {
-            List<String> deniedFileExtensionsList = 
StringUtil.split(deniedExtensions, ",");
-            for (String deniedExtension : deniedFileExtensionsList) {
-                deniedFileExtensions.add(deniedExtension);
-            }
-        }
-        return deniedFileExtensions;
+        return UtilValidate.isNotEmpty(deniedExtensions) ? 
StringUtil.split(deniedExtensions, ",") : new ArrayList<>();
     }
 
     private static List<String> deniedWebShellTokens() {
-        List<String> deniedWebShellTokens = new LinkedList<>();
         String deniedTokens = UtilProperties.getPropertyValue("security", 
"deniedWebShellTokens");
-        if (UtilValidate.isNotEmpty(deniedTokens)) {
-            List<String> deniedWebShellTokensList = 
StringUtil.split(deniedTokens, ",");
-            for (String deniedToken : deniedWebShellTokensList) {
-                deniedWebShellTokens.add(deniedToken);
-            }
-        }
-        return deniedWebShellTokens;
+        return UtilValidate.isNotEmpty(deniedTokens) ? 
StringUtil.split(deniedTokens, ",") : new ArrayList<>();
     }
 }

Reply via email to