[
https://issues.apache.org/jira/browse/FREEMARKER-124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16993930#comment-16993930
]
Dániel Dékány edited comment on FREEMARKER-124 at 12/11/19 10:06 PM:
---------------------------------------------------------------------
Templates are part of the source code of the project, similarly to your Java
files, Groovy files, you name it. If you let untrusted people edit them, they
can do bad things. It wasn't promised that FTL somehow can act as a security
barrier. This is also in the FAQ.
Now, for some reason, decade ago, the "unsafe methods" black listing was added
to FreeMarker, which might misleads people thinking that it's a serious
protection. It clearly can't be, ever, since you never know what API-s will be
available in the next Java version, or thorough third party libraries, etc. And
in fact, even with core Java classes only, there are other ways to do what you
are saying, you don't need the {{ProtectionDomain}} for that.
Now, since projects often want to allow untrusted users to edit templates, if
everything goes well, the next version will contain white-listing facility (as
opposed to black-listing) in the standard object wrapper. So if someone needs
that, they don't have to develop their own {{ObjectWrapper}}, or suffer with
{{SimpleObjectWrapper}}. Really that's the best we can do. And then, you can
still be DOS-ed... see FAQ.
was (Author: ddekany):
Templates are part of the source code of the project, similarly to your Java
files, Groovy files, you name it. If you let untrusted people edit them, they
can do bad things. It wasn't promised that FTL it' somehow can act as a
security barrier. This is also in the FAQ.
Now, for some reason, decade ago, the "unsafe methods" black listing was added
to FreeMarker, which might misleads people thinking that it's serious
protection. It clearly can't be, ever, since you never know what API-s will be
available in the next Java version, or thorough third party libraries, etc. And
in fact, even with core Java classes only, there other ways to what you are
saying, you don't need the ProtectionDomain for that.
Now, since project often want to allow untrusted users to edit templates, if
everything goes well then next version will contain white-listing possibility
in the standard object wrapper. So if someone needs that, they don't have to
develop their own {{ObjectWrapper}}, or suffer with {{SimpleObjectWrapper}}.
Really that's the best we can do. And then, you can still be DOS-ed... see FAQ.
> Security - templates can get classloader by using
> java.security.ProtectionDomain.getClassLoader
> -----------------------------------------------------------------------------------------------
>
> Key: FREEMARKER-124
> URL: https://issues.apache.org/jira/browse/FREEMARKER-124
> Project: Apache Freemarker
> Issue Type: Bug
> Reporter: Gal Ben Ami
> Priority: Critical
> Labels: security
>
> By using java.security.ProtectionDomain.getClassLoader templates will get
> access to the classloader and from there can get filesystem access and more.
>
> See:
> [https://github.com/apache/freemarker/pull/62]
>
> And
> [https://ackcent.com/blog/in-depth-freemarker-template-injection/]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
