On 10/31/2010 12:21 PM, Ivan Ristic wrote:
Is it safe to give users access to Velocity templates? Let's say that
I have an application where I want to allow the users to modify email
templates (which are written in Velocity). I am happy for the users to
have access to the objects I give them, but is there a way in Velocity
to create arbitrary Java objects (e.g., through a class loader
reference)?
Do you think it be made safe, if it is not?
By default velocity does not allow creating new objects, since there's
no new() method/directive. You can still create objects if you have
access to Class.forName, but that's not possible if you use the
SecureUberspector, which prevents access to all Class methods except
toString. I think this is the default uberspector, so you don't need to
change anything (devs, please confirm).
Note that inside XWiki velocity is used as a full scripting language,
and it is very secure. What you must check is the API that you expose
via the objects you put in the context.
If you want even more control on what users can do in Velocity, you can
write your own uberspectors to control what methods can be used. For
example, we have one that logs all calls to @Deprecated methods (see
https://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-velocity/src/main/java/org/xwiki/velocity/introspection/DeprecatedCheckUberspector.java
), and we're working on one that does automatic access rights checks
(see http://jira.xwiki.org/jira/browse/XWIKI-2181 and the attached patch).
Has anyone tried to deploy Velocity in a similar use case, restricting
what templates can do using the Java's security model (e.g. security
manager, permissions, etc)? Having the restrictions in place is
clearly desired, irrespective of whether Velocity is safe to use in
this fashion.
You can also add more paranoid control if you use a security policy at
the Java level, although we've never had any problems from Velocity in 6
years.
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
