OFBiz › OFBiz - Commits

[ofbiz-framework] branch release18.12 updated: Improved: Prevent possible post-auth RCE from webtools/control/ProgramExport (OFBIZ-12055)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

[ofbiz-framework] branch release18.12 updated: Improved: Prevent possible post-auth RCE from webtools/control/ProgramExport (OFBIZ-12055)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/release18.12 by this push:
new 0b26b91 Improved: Prevent possible post-auth RCE from webtools/control/ProgramExport (OFBIZ-12055)
0b26b91 is described below

commit 0b26b9155f02d54c97428bfab5b68b268356a2c0
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Nov 13 09:34:49 2020 +0100

Improved: Prevent possible post-auth RCE from webtools/control/ProgramExport (OFBIZ-12055)

This was reported to the security team by Shuibo Ye <[hidden email]>.
We did not create a CVE because it's a post-auth "vulnerability"

Thanks: Shuibo Ye
---
framework/webtools/groovyScripts/entity/ProgramExport.groovy | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/framework/webtools/groovyScripts/entity/ProgramExport.groovy b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
index d1e59eb..41d29e6 100644
--- a/framework/webtools/groovyScripts/entity/ProgramExport.groovy
+++ b/framework/webtools/groovyScripts/entity/ProgramExport.groovy
@@ -46,7 +46,7 @@ EntityFindOptions findOptions = new EntityFindOptions()
findOptions.setMaxRows(3)

List products = delegator.findList("Product", null, null, null, findOptions, false)
-if (products != null) {
+if (products != null) {
recordValues.addAll(products)
}

@@ -73,6 +73,13 @@ def shell = new GroovyShell(loader, binding, configuration)

if (UtilValidate.isNotEmpty(groovyProgram)) {
try {
+ // TODO more can be added...
+ if (groovyProgram.contains("new File")
+ || groovyProgram.contains(".jsp")
+ || groovyProgram.contains("<%=")) {
+ request.setAttribute("_ERROR_MESSAGE_", "Not executed for security reason")
+ return
+ }
shell.parse(groovyProgram)
shell.evaluate(groovyProgram)
recordValues = shell.getVariable("recordValues")
@@ -93,5 +100,5 @@ if (UtilValidate.isNotEmpty(groovyProgram)) {
} catch(Exception e) {
request.setAttribute("_ERROR_MESSAGE_", e)
return
- }
+ }
}