I agree with you Jacques. If some fear are present, as impersonate we can load a specific permission and add a property that disable by default this function.
Nicolas On 21/09/2021 08:06, Jacques Le Roux wrote: > Hi, > > The security reporter 'thiscodecc" created OFBIZ-12305 about "Groovy > Program sandbox bypass". He suggested to use one of "the very mature > solutions on the groovy sandbox on the market. You can refer to it.". > > I had a look. The best article was from Cédric Champeau: > https://melix.github.io/blog/2015/03/sandboxing.htmland clearly he > does not advocate for "mature solutions on the groovy sandbox on the > market". > > So I rather fixed the issue with a "simple" and pragmatic approach by > reusing the work I already did with SecuredUpload::isValidTextFile. I > refactored it and created the public SecuredUpload::isValidText. > > Finally, with OFBIZ-12324 I extracted the webshell tokens in the > deniedWebShellTokens property in security.properties. > > I had a deeper look at Cédric's article and I'm now convinced that, > because only ProgramExport in Webtool was concerned we don't need to > worry about Groovy Sandboxing. > > If you don't think so, please explain why > > TIA > > Jacques >