ddekany commented on pull request #68: URL: https://github.com/apache/freemarker/pull/68#issuecomment-646993026
Just to restate the problem. Official FreeMarker does have features to disable these on the level of the `Configuration` object. Your problem is that sometimes you don't have control over the `Configuration` instance. So, you started rolling your own in-house FreeMarker fork, that just doesn't have some dangerous features, and what you need is a way to achieve the same without actual forking. If we just have some static method, where you can fiddle with the `Configuration` instance, that perhaps can be too easily used for attacks. If others manage to call that static method (yes, then you already have some big problem, but still), they can make a previously secure system insecure. Also, it's not always easy to guarantee that your static method call happens before the relevant `Configuration` instance was created. Such uncertainty is especially undesirable when security depends on it. So maybe, we rather should have class with a fixed, predefined name, let's say `org.apache.freemarker.monkeypatch.FeatureDisabler`, and that's where you can do your thing. Because it's a documented, fixed place, it's also easier to figure out if such magic happens. The only problem is that as the presence of this calls is optional in FreeMarker, the system will still run if somehow it's not there anymore. For that though, you can refer to `FeatureDisabler` in your application own startup code, so your application will fail if that class is gone for some reason. Though I'm still not sure how do you intend to ensure that the data-model content itself is safe. Well, you might as well specify a whitelist in `org.apache.freemarker.monkeypatch`, though I'm not sure how realistic that is. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
