[ofbiz-framework] 01/02: Improved: Prevent FreeMarker Template Injection (SSTI)

Mon, 18 May 2020 04:26:14 -0700 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit a6e8b05135f07a6c6aa383e0d0bd4226a46f9c7e
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon May 18 12:06:28 2020 +0200

    Improved: Prevent FreeMarker Template Injection (SSTI)
    
    (OFBIZ-11709)
    
    Some people may want to use another TemplateClassResolver than 
SAFER_RESOLVER
    This creates a new templateClassResolver security property and uses it in
    FreeMarkerWorker::makeConfiguration by default
---
 .../org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 11 ++++++++++-
 framework/security/config/security.properties                 |  9 +++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index 6cae5aa..56b2eee 100644
--- 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -65,6 +65,7 @@ import freemarker.template.TemplateHashModel;
 import freemarker.template.TemplateModel;
 import freemarker.template.TemplateModelException;
 import freemarker.template.Version;
+import freemarker.template.utility.ClassUtil;
 
 /**
  * FreeMarkerWorker - Freemarker Template Engine Utilities.
@@ -126,7 +127,15 @@ public final class FreeMarkerWorker {
         } catch (TemplateException e) {
             Debug.logError("Unable to set date/time and number formats in 
FreeMarker: " + e, MODULE);
         }
-        
newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+        String templateClassResolver = 
UtilProperties.getPropertyValue("security", "templateClassResolver", 
+                "SAFER_RESOLVER");
+        try {
+            newConfig.setNewBuiltinClassResolver((TemplateClassResolver) 
+                    ClassUtil.forName("freemarker.core.TemplateClassResolver" 
+ templateClassResolver)
+                    .cast(templateClassResolver));
+        } catch (ClassNotFoundException e) {
+            Debug.logError("No TemplateClassResolver." + 
templateClassResolver, MODULE);
+        }
         // Transforms properties file set up as key=transform name, 
property=transform class name
         ClassLoader loader = Thread.currentThread().getContextClassLoader();
         transformsURL(loader).forEach(url -> {
diff --git a/framework/security/config/security.properties 
b/framework/security/config/security.properties
index 52fbf08..d3b32d2 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -185,3 +185,12 @@ csrf.entity.request.limit=
 # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy 
 # -- if you need to use a 'lax' for SameSiteCookieAttribute
 csrf.defense.strategy=
+
+
+# -- Freemarker TemplateClassResolver option, see OFBIZ-11709.
+# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any 
of the Freemarker classes 
+# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and 
JythonRuntime. 
+# -- If you need to use one to these classes you need to change the 
TemplateClassResolver
+# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases 
better read 
+# -- 
https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
+templateClassResolver=

Reply via email to