Updated test to analyse all scriplet and return all unsafe scriptlet …

…found. Test is true if all scriptlet are safe
apache · Jan 2, 2025 · a4b3e35 · a4b3e35
1 parent df2b501
commit a4b3e35
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 28 deletions.
diff --git a/.../test/groovy/org/apache/ofbiz/base/util/string/FlexibleStringExpanderBaseCodeTests.groovy b/.../test/groovy/org/apache/ofbiz/base/util/string/FlexibleStringExpanderBaseCodeTests.groovy
@@ -19,29 +19,45 @@
 package org.apache.ofbiz.base.util.string
 
 import groovy.io.FileType
-import groovy.xml.XmlSlurper
+import org.apache.ofbiz.base.util.ScriptUtil
 import org.junit.Test
 
+import java.util.regex.MatchResult
+import java.util.regex.Matcher
+import java.util.regex.Pattern
+
 class FlexibleStringExpanderBaseCodeTests {
 
+    Pattern pattern = Pattern.compile('\\$\\{groovy:.*}')
     @Test
     void testEveryGroovyScriptletFromXmlFiles() {
         def filterWidgetXmlFiles = ~/\.\/(framework|application|plugins).*\/widget\/.*(Screens|Menus|Forms)\.xml$/
         new File(".").traverse(type: FileType.FILES, filter: filterWidgetXmlFiles) {it ->
-            parseXmlFile(it)
+            assert parseXmlFile(it).isEmpty()
         }
-        assert false
     }
 
-    String parseXmlFile(File file) {
-        List setWithGroovy = new XmlSlurper().parse(file).findAll { node ->
-            node.name() == 'set' && node.text().contains('groovy:')
-        }.collect()
-
-        if (setWithGroovy){
-            println setWithGroovy.first()
+    /** Resolve all scriptlet on file on retrieve all identity as unsafe
+     *
+     * @param file
+     * @return List unsafe scriptlet
+     */
+    List parseXmlFile(File file) {
+        String text = file.getText()
+        Matcher matcher = pattern.matcher(text)
+        List matchedScriptlet = []
+        for (MatchResult matchResult : matcher.results().toList()) {
+            String scriptlet = text.substring(matchResult.start() + 9, matchResult.end() - 1)
+            if (!ScriptUtil.checkIfScriptIsSafe(scriptlet)) {
+                matchedScriptlet << scriptlet
+            }
         }
-        return ''
+        if (matchedScriptlet) {
+            println "Unsafe scriptlet found on file ${file.getName()} : "
+            println '*************************************'
+            println '* ' + matchedScriptlet.join('\n* ')
+            println '*************************************'
+        }
+        return matchedScriptlet
     }
-
 }
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
@@ -293,22 +293,9 @@ allowedTokens=$SHA$OFBiz$2naHrANKTniFcgLJk4oXr3IRQ48
 #-- RegExp to secure groovy script execution. If the regExp match a script, it would be disabled and OFBiz run nothing.
 #-- In this case, you will have on log the original script with it hash. The hash can be added on allowedScriptletHashes
 #-- properties to accept it on the next execution.
-deniedScriptletsTokens=java\\s*\.|import\\s|embed|process|class|require|\.\\s*.exec|\.\\s*calc\
-|System\\s*\.|\.\\s*codehaus|\.\\s*groovy|\.\\s*runtime\|groovyx\\s*\.\
-|Eval\\s*\.|\\s+File
-
-#-- If you want to deactivate the security control on each groovy script set to false.
-# Warn ensure to be sure on what you do because this can open the door for code injection
-useDeniedScriptletsTokens=true
-
-#-- To accept the execution on some groovy script who match the deniedScriptletsTokens regExp, put their hash here.
-#-- like allowedScriptletHashes={SHA}59f8ab616b3878ddf825ea50c13ce603a3a6c5a9,{SHA}59f5ab516b3878ddf825ea50c13ce603a3a6c5a9
-allowedScriptletHashes=
-
-#-- RegExp to secure groovy script execution. If the regExp match a script, it would be disabled and OFBiz run nothing.
-#-- In this case, you will have on log the original script with it hash. The hash can be added on allowedScriptletHashes
-#-- properties to accept it on the next execution.
-deniedScriptletsTokens=java\.|import|embed|process|class|require|exec|calc
+deniedScriptletsTokens=java\\s*\.|import\\s|embed[^\\w]|process[^\\w]|class[^\\w]|require[^\\w]\
+|\.\\s*.exec.*[\(|\\s]|\.\\s*calc.*[\(|\\s]|\.\\s*.eval.*[\(|\\s]|Eval\\s*\.|\\s+File\
+|System\\s*\.|\.\\s*codehaus|\.\\s*groovy[^:]|\.\\s*runtime\|groovyx\\s*\.
 
 #-- If you want to deactivate the security control on each groovy script set to false.
 # Warn ensure to be sure on what you do because this can open the door for code injection