[ofbiz-framework] branch release22.01 updated: Improved: Secure the uploads (OFBIZ-12080)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release22.01 by this push:
     new f2894c65d7 Improved: Secure the uploads (OFBIZ-12080)
f2894c65d7 is described below

commit f2894c65d732905097007158ff49fc5ae279849e
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Apr 25 10:56:09 2022 +0200

    Improved: Secure the uploads (OFBIZ-12080)
    
    I did not have these ones, found there
    
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
    and there https://github.com/tennc/webshell
---
 framework/security/config/security.properties                     | 4 ++--
 .../src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java | 8 ++++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 2c60cdcda3..03dbc8ee6b 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -256,11 +256,11 @@ allowAllUploads=
 #-- Else "template.utility.Execute" is a good replacement but not as much 
catching, who knows...
 #--
 #-- If you are sure you are safe for a token you can remove it, etc.
-deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
 page,<?php,exec(,alert(,\
+deniedWebShellTokens=java.,beans,freemarker,<script,javascript,<body,body 
,<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
                      
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
                      chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build,\
                      python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget 
,static,assign,webappPath,\
-                     ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost
+                     ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate
 
 #-- Max line length for uploaded files, by default 10000
 maxLineLength=
diff --git 
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
 
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
index 3eac13c9c6..75730a3fcc 100644
--- 
a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++ 
b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
@@ -59,11 +59,11 @@ public class SecurityUtilTest {
     @Test
     public void webShellTokensTesting() {
         // Currently used
-        // 
java.,beans,freemarker,<script,javascript,<body,<form,<jsp:,<c:out,taglib,<prefix,<%@
 page,<?php,exec(,alert(,\
+        // java.,beans,freemarker,<script,javascript,<body,body 
<form,<jsp:,<c:out,taglib,<prefix,<%@ page,<?php,exec(,alert(,\
         // 
%eval,@eval,eval(,runtime,import,passthru,shell_exec,assert,str_rot13,system,decode,include,page
 ,\
         // chmod,mkdir,fopen,fclose,new 
file,upload,getfilename,download,getoutputstring,readfile,iframe,object,embed,onload,build\
         // python,perl ,/perl,ruby 
,/ruby,process,function,class,InputStream,to_server,wget 
,static,assign,webappPath,\
-        // ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost
+        // ifconfig,route,crontab,netstat,uname 
,hostname,iptables,whoami,"cmd",*cmd|,+cmd|,=cmd|,localhost,thread,require,gzdeflate
 
         try {
             List<String> allowed = new ArrayList<>();
@@ -78,6 +78,7 @@ public class SecurityUtilTest {
             assertFalse(SecuredUpload.isValidText("<script", allowed));
             assertFalse(SecuredUpload.isValidText("javascript", allowed));
             assertFalse(SecuredUpload.isValidText("<body", allowed));
+            assertFalse(SecuredUpload.isValidText("body ", allowed));
             assertFalse(SecuredUpload.isValidText("<form", allowed));
             assertFalse(SecuredUpload.isValidText("<jsp:", allowed));
             assertFalse(SecuredUpload.isValidText("<c:out", allowed));
@@ -142,6 +143,9 @@ public class SecurityUtilTest {
             assertFalse(SecuredUpload.isValidText("+cmd|", allowed));
             assertFalse(SecuredUpload.isValidText("=cmd|", allowed));
             assertFalse(SecuredUpload.isValidText("localhost", allowed));
+            assertFalse(SecuredUpload.isValidText("thread", allowed));
+            assertFalse(SecuredUpload.isValidText("require", allowed));
+            assertFalse(SecuredUpload.isValidText("gzdeflate", allowed));
 
         } catch (IOException e) {
             fail(String.format("IOException occured : %s", e.getMessage()));