[ofbiz-framework] branch release18.12 updated: Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor. (OFBIZ-12057)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 792f457  Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor. (OFBIZ-12057)
792f457 is described below

commit 792f45773fd062fe1f57f5b1af9da9e65637ec54
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Nov 16 14:07:58 2020 +0100

    Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor. (OFBIZ-12057)
   
    Shuibo Ye <[hidden email]> reported a possible arbitary file write using
    webtools/control/EntitySQLProcessor.
   
        In the "SQL Command" part, I create a table and insert some strings and
        export the table to a file one sentence at a time.
        PoC: CREATE TABLE "test" (string VARCHAR(80))
        INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
        call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
   
        After executing the three sentences,I successfully write the file and its url
        is https://localhost:8443/webtools/default.jsp.
   
    I fixed it preventing execution on SYSCS_UTIL.SYSCS_EXPORT_TABLE and JSP, more
    could be added if necessary
---
 .../webtools/groovyScripts/entity/EntitySQLProcessor.groovy      | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy b/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy
index c85fed2..b5259b7 100644
--- a/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy
+++ b/framework/webtools/groovyScripts/entity/EntitySQLProcessor.groovy
@@ -64,6 +64,15 @@ if (sqlCommand && selGroup) {
                 rs.close()
             }
         } else {
+            if (sqlCommand.toUpperCase().contains("SYSCS_UTIL.SYSCS_EXPORT_TABLE")
+                    || sqlCommand.toUpperCase().contains("JSP")) {
+                context.resultMessage = "Not executed for security reason"
+                context.groups = groups
+                context.columns = columns
+                context.records = records
+                context.sqlCommand = sqlCommand
+                return
+            }
             du.prepareStatement(sqlCommand)
             numOfAffectedRows = du.executeUpdate()
             resultMessage = "Affected $numOfAffectedRows rows."