[ofbiz-framework] branch trunk updated (e3e12ee -> 11905d8)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated (e3e12ee -> 11905d8)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.


    from e3e12ee  Improved: No need to specify externalKeyParam in ofbizUrl calls (OFBIZ-11711)
     new a6e8b05  Improved: Prevent FreeMarker Template Injection (SSTI)
     new 11905d8  Improved: Convert deactivateAllContentRoles service from mini-lang to groovy DSL

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../groovyScripts/content/ContentServices.groovy     | 20 +++++++++++++++++++-
 .../content/minilang/content/ContentServices.xml     | 13 -------------
 applications/content/servicedef/services_content.xml |  4 ++--
 .../ofbiz/base/util/template/FreeMarkerWorker.java   | 11 ++++++++++-
 framework/security/config/security.properties        |  9 +++++++++
 5 files changed, 40 insertions(+), 17 deletions(-)

Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 01/02: Improved: Prevent FreeMarker Template Injection (SSTI)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit a6e8b05135f07a6c6aa383e0d0bd4226a46f9c7e
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon May 18 12:06:28 2020 +0200

    Improved: Prevent FreeMarker Template Injection (SSTI)
   
    (OFBIZ-11709)
   
    Some people may want to use another TemplateClassResolver than SAFER_RESOLVER
    This creates a new templateClassResolver security property and uses it in
    FreeMarkerWorker::makeConfiguration by default
---
 .../org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 11 ++++++++++-
 framework/security/config/security.properties                 |  9 +++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
index 6cae5aa..56b2eee 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java
@@ -65,6 +65,7 @@ import freemarker.template.TemplateHashModel;
 import freemarker.template.TemplateModel;
 import freemarker.template.TemplateModelException;
 import freemarker.template.Version;
+import freemarker.template.utility.ClassUtil;
 
 /**
  * FreeMarkerWorker - Freemarker Template Engine Utilities.
@@ -126,7 +127,15 @@ public final class FreeMarkerWorker {
         } catch (TemplateException e) {
             Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, MODULE);
         }
-        newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+        String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver",
+                "SAFER_RESOLVER");
+        try {
+            newConfig.setNewBuiltinClassResolver((TemplateClassResolver)
+                    ClassUtil.forName("freemarker.core.TemplateClassResolver" + templateClassResolver)
+                    .cast(templateClassResolver));
+        } catch (ClassNotFoundException e) {
+            Debug.logError("No TemplateClassResolver." + templateClassResolver, MODULE);
+        }
         // Transforms properties file set up as key=transform name, property=transform class name
         ClassLoader loader = Thread.currentThread().getContextClassLoader();
         transformsURL(loader).forEach(url -> {
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 52fbf08..d3b32d2 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -185,3 +185,12 @@ csrf.entity.request.limit=
 # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy
 # -- if you need to use a 'lax' for SameSiteCookieAttribute
 csrf.defense.strategy=
+
+
+# -- Freemarker TemplateClassResolver option, see OFBIZ-11709.
+# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes
+# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime.
+# -- If you need to use one to these classes you need to change the TemplateClassResolver
+# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read
+# -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security
+templateClassResolver=

Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 02/02: Improved: Convert deactivateAllContentRoles service from mini-lang to groovy DSL

jleroux@apache.org
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 11905d82f5aa6fb06894e82b1ff83538ee15845d
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon May 18 13:25:35 2020 +0200

    Improved: Convert deactivateAllContentRoles service from mini-lang to groovy DSL
   
    (OFBIZ-11366)
   
    jleroux: I had to slightly rewrite the patch, mostly the Groovy part (see
    comment in Jira)
   
    Thanks: Devanshu Vyas for the initial patch
---
 .../groovyScripts/content/ContentServices.groovy     | 20 +++++++++++++++++++-
 .../content/minilang/content/ContentServices.xml     | 13 -------------
 applications/content/servicedef/services_content.xml |  4 ++--
 3 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/applications/content/groovyScripts/content/ContentServices.groovy b/applications/content/groovyScripts/content/ContentServices.groovy
index d860b19..4ecc039 100644
--- a/applications/content/groovyScripts/content/ContentServices.groovy
+++ b/applications/content/groovyScripts/content/ContentServices.groovy
@@ -17,14 +17,19 @@
  * under the License.
  */
 
-import org.apache.ofbiz.base.util.Debug
+import java.sql.Timestamp
+
 import org.apache.ofbiz.common.UrlServletHelper
 import org.apache.ofbiz.entity.condition.EntityCondition
 import org.apache.ofbiz.entity.condition.EntityOperator
+import org.apache.ofbiz.entity.GenericValue
 import org.apache.ofbiz.entity.util.EntityListIterator
 import org.apache.ofbiz.service.GenericServiceException;
+
 import org.apache.ofbiz.service.ModelService
 import org.apache.ofbiz.service.ServiceUtil
+import org.apache.ofbiz.base.util.Debug
+import org.apache.ofbiz.base.util.UtilDateTime
 
 MODULE = "ContentServices.groovy"
 def createTextAndUploadedContent(){
@@ -48,6 +53,19 @@ def createTextAndUploadedContent(){
     return result
 }
 
+def deactivateAllContentRoles() {
+    List contentRoles = from("ContentRole").
+            where("contentId", parameters.contentId, "partyId", parameters.partyId, "roleTypeId", parameters.roleTypeId)
+            .queryList();
+    if (contentRoles) {
+        for (GenericValue contentRole : contentRoles) {
+            contentRole.put("thruDate", UtilDateTime.nowTimestamp());
+            contentRole.store();
+        }
+    }
+    return success()
+}
+
 def createContentAlternativeUrl() {
     //create Content Alternative URLs.
     String contentCreated
diff --git a/applications/content/minilang/content/ContentServices.xml b/applications/content/minilang/content/ContentServices.xml
index 696d7ee..b8e451b 100644
--- a/applications/content/minilang/content/ContentServices.xml
+++ b/applications/content/minilang/content/ContentServices.xml
@@ -164,19 +164,6 @@
 
     <!-- Methods for ContentRole -->
 
-    <simple-method method-name="deactivateAllContentRoles" short-description="Update Content Role">
-        <make-value entity-name="ContentRole" value-field="lookupKeyValue"/>
-        <set from-field="parameters.contentId" field="lookupKeyValue.contentId"/>
-        <set from-field="parameters.partyId" field="lookupKeyValue.partyId"/>
-        <set from-field="parameters.roleTypeId" field="lookupKeyValue.roleTypeId"/>
-        <find-by-and entity-name="ContentRole" map="lookupKeyValue" list="roleList"/>
-        <iterate list="roleList" entry="contentRoleMap">
-            <make-value entity-name="ContentRole" value-field="role" map="contentRoleMap"/>
-            <now-timestamp field="role.thruDate"/>
-            <store-value value-field="role"/>
-        </iterate>
-    </simple-method>
-
     <simple-method method-name="updateSingleContentPurpose" short-description="Updates the purpose making sure there is only one">
         <set field="toRemove.contentId" from-field="parameters.contentId"/>
         <remove-by-and entity-name="ContentPurpose" map="toRemove"/>
diff --git a/applications/content/servicedef/services_content.xml b/applications/content/servicedef/services_content.xml
index 87be490..ee931fa 100644
--- a/applications/content/servicedef/services_content.xml
+++ b/applications/content/servicedef/services_content.xml
@@ -319,8 +319,8 @@
         <auto-attributes include="pk" mode="IN" optional="false"/>
         <auto-attributes include="nonpk" mode="IN" optional="true"/>
     </service>
-    <service name="deactivateAllContentRoles" engine="simple" default-entity-name="ContentRole" auth="true"
-            location="component://content/minilang/content/ContentServices.xml" invoke="deactivateAllContentRoles">
+    <service name="deactivateAllContentRoles" engine="groovy" default-entity-name="ContentRole" auth="true"
+             location="component://content/groovyScripts/content/ContentServices.groovy" invoke="deactivateAllContentRoles">
         <description>Deactivate all ContentRoles</description>
         <permission-service service-name="genericContentPermission" main-action="UPDATE"/>
         <attribute mode="IN" name="contentId" optional="false" type="String">