Hi,
The security reporter 'thiscodecc" created OFBIZ-12305 about "Groovy Program sandbox bypass". He suggested to use one of "the very mature solutions on
the groovy sandbox on the market. You can refer to it.".
I had a look. The best article was from Cédric Champeau: https://melix.github.io/blog/2015/03/sandboxing.htmland clearly he does not advocate for
"mature solutions on the groovy sandbox on the market".
So I rather fixed the issue with a "simple" and pragmatic approach by reusing the work I already did with SecuredUpload::isValidTextFile. I refactored
it and created the public SecuredUpload::isValidText.
Finally, with OFBIZ-12324 I extracted the webshell tokens in the
deniedWebShellTokens property in security.properties.
I had a deeper look at Cédric's article and I'm now convinced that, because only ProgramExport in Webtool was concerned we don't need to worry about
Groovy Sandboxing.
If you don't think so, please explain why
TIA
Jacques
