-
Notifications
You must be signed in to change notification settings - Fork 545
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improved: Allow to use GroovyDsl in FlexibleStringExpander (OFBIZ-13133) #839
Conversation
framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
Outdated
Show resolved
Hide resolved
framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
Outdated
Show resolved
Hide resolved
framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
Outdated
Show resolved
Hide resolved
framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
Outdated
Show resolved
Hide resolved
framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
Outdated
Show resolved
Hide resolved
|
||
/** | ||
* Load the list of script exception that we autorise to run despite the security risk | ||
* @return Pattern init by the regExp security.deniedScriptletsTokens |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* @return Pattern init by the regExp security.deniedScriptletsTokens | |
* @return Pattern init by the regExp security.allowedScriptletHashes |
framework/base/src/main/java/org/apache/ofbiz/base/util/ScriptUtil.java
Outdated
Show resolved
Hide resolved
Quality Gate passedIssues Measures |
067b047
to
e05afe9
Compare
Quality Gate passedIssues Measures |
Second improvement on this functionality with increase the security by analyse each script to control the presence of potential code injection. The regexp to control is a property: security.deniedScriptletsTokens. If a script match the regexp, OFBiz raise in log an alert with the script and the script hash. The script is disabled and can't run. If you have a safe script who is matched by the regexp, you can add the hash given by OFBiz on the property: security.allowedScriptletHashes
…Util.java Co-authored-by: Gil Portenseigne <[email protected]>
…Util.java Co-authored-by: Gil Portenseigne <[email protected]>
…Util.java Co-authored-by: Gil Portenseigne <[email protected]>
…Util.java Co-authored-by: Gil Portenseigne <[email protected]>
…Util.java Co-authored-by: Gil Portenseigne <[email protected]>
Improve reg exp to support more possible code injection
Improve reg exp to support more possible code injection
Second improvement on this functionality with increase the security by analyse each script to control the presence of potential code injection. The regexp to control is a property: security.deniedScriptletsTokens. If a script match the regexp, OFBiz raise in log an alert with the script and the script hash. The script is disabled and can't run. If you have a safe script who is matched by the regexp, you can add the hash given by OFBiz on the property: security.allowedScriptletHashes
…found. Test is true if all scriptlet are safe
d84f5a2
to
a4b3e35
Compare
Quality Gate passedIssues Measures |
…33) (#839) Second improvement on this functionality with increase the security by analyse each script to control the presence of potential code injection. The regexp to control is a property: security.deniedScriptletsTokens. If a script match the regexp, OFBiz raise in log an alert with the script and the script hash. The script is disabled and can't run. If you have a safe script who is matched by the regexp, you can add the hash given by OFBiz on the property: security.allowedScriptletHashes We added a new test that scan all xml file to analyse groovy scriplet and return all unsafe scriptlet found. The test will fail if unsafe scriptlets was found. Thanks to Gil Portenseigne and Jacques Le Roux for help and review
Second improvement on this functionality with increase the security by analyse each script to control the presence of potential code injection.
The regexp to control is a property: security.deniedScriptletsTokens.
If a script match the regexp, OFBiz raise in log an alert with the script and the script hash. The script is disabled and can't run.
If you have a safe script who is matched by the regexp, you can add the hash given by OFBiz on the property: security.allowedScriptletHashes