Uploaded image for project: 'Share Application'
  1. Share Application
  2. SHA-2350

Investigate and if needed fix MNT-21009 for Share

    Details

    • Type: Task
    • Status: Closed (View Workflow)
    • Resolution: Won't Fix
    • Affects Version/s: 5.2.N
    • Fix Version/s: None
    • Component/s: Share Application
    • Labels:
      None
    • Work Funnel:
      Architecture
    • Sprint:
      Halo
    • Story Points:
      2
    • Work Funnel End:
      2019-11
    • Template:

      Description

       

      An independent researcher has submitted the following information....

      Here is the case. In Alfresco 5.1 (but I guess it is the same in newer versions), there is a protection against Java code execution in Rhino scripts.

      In the initScope method of the RhinoScriptProcessor class, a protection is added if the script comes from a repository node :

      // remove security issue related objects - this ensures the script may not access
      // unsecure java.* libraries or import any other classes for direct access - only
      // the configured root host objects will be available to the script writer

      scope.delete("Packages");
      scope.delete("getClass");
      scope.delete("java");

      I think it is not enough. This kind of code can bypass the protection :

      var list = com.google.common.collect.Lists.newArrayList();list.add("C:
      Windows
      System32
      calc.exe");

      companyhome.nodeRef.getClass().forName("java.lang.ProcessBuilder").getConstructors()[0].newInstance(list).start();

      I tried this in a script executed by a rule and it popped a calculator on the Windows server.

      There are other ways to access Java classes, probably through some utilities exposed by one of the many OpenSource libraries embedded in the alfresco webapp.

      Moreover I think the executeScriptString of the ScriptServiceImpl class, which is considered safe because the script string is given as parameter,can be called from some script activiti task (dynamic code deployed in the workflow, and not trusted vanilla Alfresco code). Is there a better way to secure Rhino script executions in Alfresco ?

      See MNT-21009 for more details.

       

        Attachments

          Structure

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                abalmus Alexandru Balmus
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Structure Helper Panel