[ofbiz-framework] branch trunk updated: Improved: Create a deny list to reject webshell tokens (OFBIZ-12324)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 54e544d  Improved: Create a deny list to reject webshell tokens 
(OFBIZ-12324)
54e544d is described below

commit 54e544d302f20728d1f8b27670ce5c63367372c5
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Feb 18 13:50:50 2022 +0100

    Improved: Create a deny list to reject webshell tokens (OFBIZ-12324)
    
    Prevents CSV injection (MS Excel or Open Office)
---
 framework/security/config/security.properties                     | 2 +-
 .../src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 7661561..fa96158 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -253,7 +253,7 @@ 
deniedWebShellTokens=freemarker,<script,javascript,<body,<form,<jsp:,<c:out,tagl
                      
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
                      chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,\
                      python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,\
-                     
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami
+                     
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|
 
 
 #-- Max line length for uploaded files, by default 10000
diff --git 
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
 
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 2ffe1e6..7b212dd 100644
--- 
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++ 
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -63,7 +63,7 @@ public class SecurityUtilTest {
         // 
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
         // chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,\
         // python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,\
-        // ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami
+        // 
ifconfig,route,crontab,netstat,uname,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|
 
         try {
             List<String> allowed = new ArrayList<>();
@@ -122,11 +122,15 @@ public class SecurityUtilTest {
             assertFalse(SecuredUpload.isValidText("route", allowed));
             assertFalse(SecuredUpload.isValidText("crontab", allowed));
             assertFalse(SecuredUpload.isValidText("netstat", allowed));
-            assertFalse(SecuredUpload.isValidText("uname", allowed)); // found 
1 image (on 33 600) with this token in
+            assertFalse(SecuredUpload.isValidText("uname", allowed)); // found 
1 image (on 33 600, ~3GB) with this token in
             assertFalse(SecuredUpload.isValidText("hostname", allowed));
             assertFalse(SecuredUpload.isValidText("iptables", allowed));
             assertFalse(SecuredUpload.isValidText("whoami", allowed));
             // ip, ls, nc, ip, cat and pwd can'tbe used, too short
+            assertFalse(SecuredUpload.isValidText("\"cmd\"", allowed));
+            assertFalse(SecuredUpload.isValidText("*cmd|", allowed));
+            assertFalse(SecuredUpload.isValidText("+cmd|", allowed));
+            assertFalse(SecuredUpload.isValidText("=cmd|", allowed));
 
         } catch (IOException e) {
             fail(String.format("IOException occured : %s", e.getMessage()));