Jacques Le Roux created OFBIZ-12587:
---------------------------------------
Summary: Implement Freemarker WhitelistMemberAccessPolicy
Key: OFBIZ-12587
URL: https://issues.apache.org/jira/browse/OFBIZ-12587
Project: OFBiz
Issue Type: Improvement
Components: ALL APPLICATIONS, ALL PLUGINS, framework/base,
framework/security
Affects Versions: Upcoming Branch
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
In its API, Freemarker provides
[WhitelistMemberAccessPolicy|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
where it mentions
[TemplateAccessible|https://freemarker.apache.org/docs/api/freemarker/ext/beans/TemplateAccessible.html]
and there says:
bq. Note that adding something to the whitelist doesn't necessary make it
visible from templates; see WhitelistMemberAccessPolicy documentation.
So back to [WhitelistMemberAccessPolicy
API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
documentation says 2 things:
bq. Of course, this only can deal with the ObjectWrapper aspect of safety;
please check the Manual to see what else is needed.
So far, I did not find any other documentation than the
[WhitelistMemberAccessPolicy
API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
but the FAQ (see below). In the [WhitelistMemberAccessPolicy
API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
I read
bq. Also, since this is related to security, read the documentation of
MemberAccessPolicy, to know about the pitfalls and edge cases related to
MemberAccessPolicy-es in general.
So maybe I miss something somewhere.
Something else is interesting in [WhitelistMemberAccessPolicy
API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]:
bq. Note that if you add TemplateModel-s directly to the data-model, those are
not wrapped by the ObjectWrapper (from Configurable.getObjectWrapper()), and so
the MemberAccessPolicy won't affect those.
So WhitelistMemberAccessPolicy is not a magic wand, more must be done. The
[FAQ|https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security]
should be of some help. Notably in OFBiz case:
bq. Always expect that templates may get some objects that you haven't put into
the data-model yourself. Notably, templates can always get a Locale object with
the .locale_object expression. Or the {color:#ff8b00}web application framework
you are using may exposes some objects, like attributes from the Servlet
scopes{color}. Such objects will be still wrapped with the ObjectWrapper that
you set in the Configuration, and this is why it's important to ensure safety
on that level. Controlling what objects the template will have access to is
hard, but you can control centrally what members of any object they have access
to.
This also needs to taken in consideration:
bq. Template-loader (Configuration.setTemplateLoader): Templates may load other
templates by name (by path), like <#include "../secret.txt">. To avoid loading
sensitive data, you have to use a TemplateLoader that double-checks that the
file to load is something that should be exposed. FreeMarker tries to prevent
the loading of files outside the template root directory regardless of template
loader, but depending on the underlying storage mechanism, exploits may exist
that FreeMarker can't consider (like, just as an example, ~ jumps to the
current user's home directory). Note that freemarker.cache.FileTemplateLoader
checks the canonical paths, so that's maybe a good candidate for this task,
yet, adding a file extension check (file must be *.ftl) is maybe a good idea.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
