[
https://issues.apache.org/jira/browse/OFBIZ-12587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17502812#comment-17502812
]
Jacques Le Roux edited comment on OFBIZ-12587 at 3/8/22, 9:16 AM:
------------------------------------------------------------------
New [^OFBIZ-12587-1.patch] , major changes are
* unique methods from getMethodsFromTransformsProperties and
getMethodsFromClasses
* Extracted new getMethodsFromClass from getMethodsFromTransformsProperties and
getMethodsFromClasses
TODO to adds:
* Servlet Attributes
* Request Attributes
* ... Actually checks context in renderTemplate()
was (Author: jacques.le.roux):
New patch, major changes are
* unique methods from getMethodsFromTransformsProperties and
getMethodsFromClasses
* Extracted new getMethodsFromClass from getMethodsFromTransformsProperties and
getMethodsFromClasses
TODO to adds:
* Servlet Attributes
* Request Attributes
* ... Actually checks context in renderTemplate()
> Implement Freemarker WhitelistMemberAccessPolicy
> ------------------------------------------------
>
> Key: OFBIZ-12587
> URL: https://issues.apache.org/jira/browse/OFBIZ-12587
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS, ALL PLUGINS, framework/base,
> framework/security
> Affects Versions: Upcoming Branch
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Attachments: OFBIZ-12587-1.patch, OFBIZ-12587.patch
>
>
> In its API, Freemarker provides
> [WhitelistMemberAccessPolicy|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
> where it mentions
> [TemplateAccessible|https://freemarker.apache.org/docs/api/freemarker/ext/beans/TemplateAccessible.html]
> and there says:
> bq. Note that adding something to the whitelist doesn't necessary make it
> visible from templates; see WhitelistMemberAccessPolicy documentation.
> So back to [WhitelistMemberAccessPolicy
> API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
> documentation says 2 things:
> bq. Of course, this only can deal with the ObjectWrapper aspect of safety;
> please check the Manual to see what else is needed.
> So far, I did not find any other documentation than the
> [WhitelistMemberAccessPolicy
> API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
> but the FAQ (see below). In the [WhitelistMemberAccessPolicy
> API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
> I read
> bq. Also, since this is related to security, read the documentation of
> MemberAccessPolicy, to know about the pitfalls and edge cases related to
> MemberAccessPolicy-es in general.
> So maybe I miss something somewhere.
> Something else is interesting in [WhitelistMemberAccessPolicy
> API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]:
> bq. Note that if you add TemplateModel-s directly to the data-model, those
> are not wrapped by the ObjectWrapper (from Configurable.getObjectWrapper()),
> and so the MemberAccessPolicy won't affect those.
> So WhitelistMemberAccessPolicy is not a magic wand, more must be done. The
> [FAQ|https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security]
> should be of some help. Notably in OFBiz case:
> bq. Always expect that templates may get some objects that you haven't put
> into the data-model yourself. Notably, templates can always get a Locale
> object with the .locale_object expression. Or the {color:#ff8b00}web
> application framework you are using may exposes some objects, like attributes
> from the Servlet scopes{color}. Such objects will be still wrapped with the
> ObjectWrapper that you set in the Configuration, and this is why it's
> important to ensure safety on that level. Controlling what objects the
> template will have access to is hard, but you can control centrally what
> members of any object they have access to.
> This also needs to taken in consideration:
> bq. Template-loader (Configuration.setTemplateLoader): Templates may load
> other templates by name (by path), like <#include "../secret.txt">. To avoid
> loading sensitive data, you have to use a TemplateLoader that double-checks
> that the file to load is something that should be exposed. FreeMarker tries
> to prevent the loading of files outside the template root directory
> regardless of template loader, but depending on the underlying storage
> mechanism, exploits may exist that FreeMarker can't consider (like, just as
> an example, ~ jumps to the current user's home directory). Note that
> freemarker.cache.FileTemplateLoader checks the canonical paths, so that's
> maybe a good candidate for this task, yet, adding a file extension check
> (file must be *.ftl) is maybe a good idea.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
