An independent researcher has submitted the following information....
Here is the case. In Alfresco 5.1 (but I guess it is the same in newer versions), there is a protection against Java code execution in Rhino scripts.
In the initScope method of the RhinoScriptProcessor class, a protection is added if the script comes from a repository node :
// remove security issue related objects - this ensures the script may not access
// unsecure java.* libraries or import any other classes for direct access - only
// the configured root host objects will be available to the script writer
I think it is not enough. This kind of code can bypass the protection :
var list = com.google.common.collect.Lists.newArrayList();list.add("C:
I tried this in a script executed by a rule and it popped a calculator on the Windows server.
There are other ways to access Java classes, probably through some utilities exposed by one of the many OpenSource libraries embedded in the alfresco webapp.
Moreover I think the executeScriptString of the ScriptServiceImpl class, which is considered safe because the script string is given as parameter,can be called from some script activiti task (dynamic code deployed in the workflow, and not trusted vanilla Alfresco code). Is there a better way to secure Rhino script executions in Alfresco ?
See MNT-21009 for more details.