[ofbiz-framework] branch trunk updated: Fixed: Prevent FreeMarker Template Injection (SSTI)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new e46c299  Fixed: Prevent FreeMarker Template Injection (SSTI)
e46c299 is described below

commit e46c29962b507a155233c8fd4e67f99f216229cc
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat May 16 20:51:02 2020 +0200

    Fixed: Prevent FreeMarker Template Injection (SSTI)
   
    (OFBIZ-11709)
   
    Since Freemarker 2.3.17 a known solution to these issues is to register a
    TemplateClassResolver in Freemarker configuration in order to limit which
    TemplateModels can be instantiated in the templates. The predefined resolver
    SAFER_RESOLVER doesn't allow to instantiate the Execute class[4].
   
    So the solution is to add the line
        newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
    in FreeMarkerWorker.java
---
 .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index d1a368b..6cae5aa 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -36,8 +36,8 @@ import java.util.stream.Stream;
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.ofbiz.base.location.FlexibleLocation;
 import org.apache.ofbiz.base.component.ComponentConfig;
+import org.apache.ofbiz.base.location.FlexibleLocation;
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.StringUtil;
 import org.apache.ofbiz.base.util.UtilGenerics;
@@ -52,6 +52,7 @@ import freemarker.cache.StringTemplateLoader;
 import freemarker.cache.TemplateLoader;
 import freemarker.cache.URLTemplateLoader;
 import freemarker.core.Environment;
+import freemarker.core.TemplateClassResolver;
 import freemarker.ext.beans.BeanModel;
 import freemarker.ext.beans.BeansWrapper;
 import freemarker.ext.beans.BeansWrapperBuilder;
@@ -125,6 +126,7 @@ public final class FreeMarkerWorker {
         } catch (TemplateException e) {
             Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, MODULE);
         }
+        newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
         // Transforms properties file set up as key=transform name, property=transform class name
         ClassLoader loader = Thread.currentThread().getContextClassLoader();
         transformsURL(loader).forEach(url -> {