[jira] [Commented] (FREEMARKER-124) Security - templates can get classloader by using java.security.ProtectionDomain.getClassLoader

Wed, 11 Dec 2019 14:05:32 -0800 


    [ 
https://issues.apache.org/jira/browse/FREEMARKER-124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16993930#comment-16993930
 ] 

Dániel Dékány commented on FREEMARKER-124:
------------------------------------------

Templates are part of the source code of the project, similarly to your Java 
files, Groovy files, you name it. If you let untrusted people edit them, they 
can do bad things. It wasn't promised that FTL it' somehow can act as a 
security barrier. This is also in the FAQ.

Now, for some reason, decade ago, the "unsafe methods" black listing was added 
to FreeMarker, which might misleads people thinking that it's serious 
protection. It clearly can't be, ever, since you never know what API-s will be 
available in the next Java version, or thorough third party libraries, etc. And 
in fact, even with core Java classes only, there other ways to what you are 
saying, you don't need the ProtectionDomain for that.

Now, since project often want to allow untrusted users to edit templates, if 
everything goes well then next version will contain white-listing possibility 
in the standard object wrapper. So if someone needs that, they don't have to 
develop their own {{ObjectWrapper}}, or suffer with {{SimpleObjectWrapper}}. 
Really that's the best we can do. And then, you can still be DOS-ed... see FAQ.

> Security - templates can get classloader by using 
> java.security.ProtectionDomain.getClassLoader
> -----------------------------------------------------------------------------------------------
>
>                 Key: FREEMARKER-124
>                 URL: https://issues.apache.org/jira/browse/FREEMARKER-124
>             Project: Apache Freemarker
>          Issue Type: Bug
>            Reporter: Gal Ben Ami
>            Priority: Critical
>              Labels: security
>
> By using java.security.ProtectionDomain.getClassLoader templates will get 
> access to the classloader and from there can get filesystem access and more.
>  
> See:
> [https://github.com/apache/freemarker/pull/62]
>  
> And 
> [https://ackcent.com/blog/in-depth-freemarker-template-injection/]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to