Hi Nico,
I see no reasons to fear about impersonate right now. It would be a post-auth
issue anyway...
Thanks
Jacques
Le 27/09/2021 à 09:37, Nicolas Malin a écrit :
I agree with you Jacques.
If some fear are present, as impersonate we can load a specific
permission and add a property that disable by default this function.
Nicolas
On 21/09/2021 08:06, Jacques Le Roux wrote:
Hi,
The security reporter 'thiscodecc" created OFBIZ-12305 about "Groovy
Program sandbox bypass". He suggested to use one of "the very mature
solutions on the groovy sandbox on the market. You can refer to it.".
I had a look. The best article was from Cédric Champeau:
https://melix.github.io/blog/2015/03/sandboxing.htmland clearly he
does not advocate for "mature solutions on the groovy sandbox on the
market".
So I rather fixed the issue with a "simple" and pragmatic approach by
reusing the work I already did with SecuredUpload::isValidTextFile. I
refactored it and created the public SecuredUpload::isValidText.
Finally, with OFBIZ-12324 I extracted the webshell tokens in the
deniedWebShellTokens property in security.properties.
I had a deeper look at Cédric's article and I'm now convinced that,
because only ProgramExport in Webtool was concerned we don't need to
worry about Groovy Sandboxing.
If you don't think so, please explain why
TIA
Jacques
