[
https://issues.apache.org/jira/browse/OFBIZ-12587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17516642#comment-17516642
]
ASF subversion and git services commented on OFBIZ-12587:
---------------------------------------------------------
Commit 2aeb282cdc792e4a30274bffb57d63f3829bcca7 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=2aeb282cdc ]
Improved: Prevent Freemarker interpolation in fields (OFBIZ-12594)
OFBIZ-12587 is a definitive solution to prevent any kind of Freemarker exploits.
But it's hard to realise because OFBiz exposes objects, like attributes from the
Servlet scopes. So in the meantime preventing Freemarker interpolation in fields
is a pragmatic solution.
This is an improvement but needs to be backported because it kinda affects
security
> Implement Freemarker WhitelistMemberAccessPolicy
> ------------------------------------------------
>
> Key: OFBIZ-12587
> URL: https://issues.apache.org/jira/browse/OFBIZ-12587
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS, ALL PLUGINS, framework/base,
> framework/security
> Affects Versions: Upcoming Branch
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Attachments: OFBIZ-12587-1.patch, OFBIZ-12587-2.patch,
> OFBIZ-12587.patch
>
>
> In its API, Freemarker provides
> [WhitelistMemberAccessPolicy|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
> where it mentions
> [TemplateAccessible|https://freemarker.apache.org/docs/api/freemarker/ext/beans/TemplateAccessible.html]
> and there says:
> bq. Note that adding something to the whitelist doesn't necessary make it
> visible from templates; see WhitelistMemberAccessPolicy documentation.
> So back to [WhitelistMemberAccessPolicy
> API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
> documentation says 2 things:
> bq. Of course, this only can deal with the ObjectWrapper aspect of safety;
> please check the Manual to see what else is needed.
> So far, I did not find any other documentation than the
> [WhitelistMemberAccessPolicy
> API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
> but the FAQ (see below). In the [WhitelistMemberAccessPolicy
> API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]
> I read
> bq. Also, since this is related to security, read the documentation of
> MemberAccessPolicy, to know about the pitfalls and edge cases related to
> MemberAccessPolicy-es in general.
> So maybe I miss something somewhere.
> Something else is interesting in [WhitelistMemberAccessPolicy
> API|https://freemarker.apache.org/docs/api/freemarker/ext/beans/WhitelistMemberAccessPolicy.html]:
> bq. Note that if you add TemplateModel-s directly to the data-model, those
> are not wrapped by the ObjectWrapper (from Configurable.getObjectWrapper()),
> and so the MemberAccessPolicy won't affect those.
> So WhitelistMemberAccessPolicy is not a magic wand, more must be done. The
> [FAQ|https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security]
> should be of some help. Notably in OFBiz case:
> bq. Always expect that templates may get some objects that you haven't put
> into the data-model yourself. Notably, templates can always get a Locale
> object with the .locale_object expression. Or the {color:#ff8b00}web
> application framework you are using may exposes some objects, like attributes
> from the Servlet scopes{color}. Such objects will be still wrapped with the
> ObjectWrapper that you set in the Configuration, and this is why it's
> important to ensure safety on that level. Controlling what objects the
> template will have access to is hard, but you can control centrally what
> members of any object they have access to.
> This also needs to taken in consideration:
> bq. Template-loader (Configuration.setTemplateLoader): Templates may load
> other templates by name (by path), like <#include "../secret.txt">. To avoid
> loading sensitive data, you have to use a TemplateLoader that double-checks
> that the file to load is something that should be exposed. FreeMarker tries
> to prevent the loading of files outside the template root directory
> regardless of template loader, but depending on the underlying storage
> mechanism, exploits may exist that FreeMarker can't consider (like, just as
> an example, ~ jumps to the current user's home directory). Note that
> freemarker.cache.FileTemplateLoader checks the canonical paths, so that's
> maybe a good candidate for this task, yet, adding a file extension check
> (file must be *.ftl) is maybe a good idea.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
