XWiki Platform
  1. XWiki Platform
  2. XWIKI-3967

Allow using Groovy scripts without Programming Rights

    Details

    • Type: Improvement Improvement
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.4, 1.9
    • Fix Version/s: 4.1-milestone-1
    • Component/s: Groovy
    • Labels:
      None
    • Tests:
      Unit
    • Difficulty:
      Unknown
    • Similar issues:
      XWIKI-7756Impossible to execute request with query manager on another wiki without programming right
      XWIKI-8064Don't protect objects returned by the API when the script has programming right
      XWIKI-2144Can't search in another wiki without programming rights
      XWIKI-1133New Groovy scripted authentication service
      XWIKI-5696SharePage doesn't work without programming rights
      XWIKI-5041Allow script authors to load and save documents in their own security context, not the user's.
      XWIKI-3525Allow Programming Rights to be checked on the current user when no context document is set

      Issue Links

        Activity

        Hide
        Vincent Massol added a comment -
        Show
        Vincent Massol added a comment - Why not simply create a Security Manager? http://java.sun.com/j2se/1.5.0/docs/api/java/lang/SecurityManager.html
        Show
        Vincent Massol added a comment - See also http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
        Hide
        Thomas Mortagne added a comment - - edited

        Because a Security Manager will not apply only on script but also on what script is calling

        Show
        Thomas Mortagne added a comment - - edited Because a Security Manager will not apply only on script but also on what script is calling
        Hide
        Vincent Massol added a comment -

        What do we want to protect:

        • no file access (this should be the default - we need to fix all places where we use files)
        • calls to privileged apis must check for programming rights (checks done at the java api level)

        Anything else to protect?

        • Do we want to forbid using reflection and constructing classes using Class.forName or ClassLoader?
        • Do we want to forbid using Threads?
        Show
        Vincent Massol added a comment - What do we want to protect: no file access (this should be the default - we need to fix all places where we use files) calls to privileged apis must check for programming rights (checks done at the java api level) Anything else to protect? Do we want to forbid using reflection and constructing classes using Class.forName or ClassLoader? Do we want to forbid using Threads?
        Hide
        Jerome Velociter added a comment -

        calls to System.*

        Show
        Jerome Velociter added a comment - calls to System.*
        Hide
        Vincent Massol added a comment -
        • We need to protect against calling java libs, i.e. anything not in the JDK (users must only use the variables bound in the script context)
        • no Threads
        • no Reflection to create objects
        Show
        Vincent Massol added a comment - We need to protect against calling java libs, i.e. anything not in the JDK (users must only use the variables bound in the script context) no Threads no Reflection to create objects
        Hide
        Vincent Massol added a comment -

        Pointers for implementation (from Guillaume Laforge):

        Show
        Vincent Massol added a comment - Pointers for implementation (from Guillaume Laforge): Check "Secure AST Customizer" (avail on Slideshare) https://github.com/groovy/groovy-core/blob/master/src/examples/groovyShell/ArithmeticShell.groovy https://github.com/groovy/groovy-core/blob/master/src/examples/groovyShell/ArithmeticShellTest.groovy Useful customizer: Import Customizer would allow to inject imports so that we can automatically inject xwiki imports by default https://github.com/groovy/groovy-core/blob/master/src/test/org/codehaus/groovy/control/customizers/ImportCustomizerTest.groovy Pass CompilerConfiguration to our GroovyClassLoader instance AST Transformation Customizer allows to inject AST transformations. Would allow us to inject @TimedInterrupt, @Threadinterrupt or @CustomInterrupt (allow to stop a script execution after a certain time, after the thread is interrupted or use our own criteria).
        Hide
        Vincent Massol added a comment -

        We're getting closer!

        See XCOMMONS-153 and XWIKI-7755

        Show
        Vincent Massol added a comment - We're getting closer! See XCOMMONS-153 and XWIKI-7755
        Hide
        Vincent Massol added a comment -

        Start of a very first implementation done as part of XWIKI-7759

        Show
        Vincent Massol added a comment - Start of a very first implementation done as part of XWIKI-7759
        Hide
        Vincent Massol added a comment -

        We can list stuff we want to forbid:

        • Executing System.exit() Actually best might be to forbid calling all System methods.
        • No file access
        • Don't create Threads
        • Forbid calling non JDK libs, including XWiki libs.
        • etc...

        But I think it's much better to list things we want to allow (whitelist) since it's safer:

        • XWiki APIs:
          • com.xpn.xwiki.api package
          • Script Services are bound in the context so no need to have any rule on that
        • java.lang

        And then slowly add more safe stuff when the use cases are found. I'm going to start with this.

        Show
        Vincent Massol added a comment - We can list stuff we want to forbid: Executing System.exit() Actually best might be to forbid calling all System methods. No file access Don't create Threads Forbid calling non JDK libs, including XWiki libs. etc... But I think it's much better to list things we want to allow (whitelist) since it's safer: XWiki APIs: com.xpn.xwiki.api package Script Services are bound in the context so no need to have any rule on that java.lang And then slowly add more safe stuff when the use cases are found. I'm going to start with this.
        Hide
        Vincent Massol added a comment -

        First version done! It's very basic ATM and allows almost nothing... We'll work on it progressively from now on to slowly open up allowed stuff.

        To use this:

        • Add in xwiki.properties:
          groovy.compilationCustomizers=secure
          
        Show
        Vincent Massol added a comment - First version done! It's very basic ATM and allows almost nothing... We'll work on it progressively from now on to slowly open up allowed stuff. To use this: Add in xwiki.properties: groovy.compilationCustomizers=secure
        Show
        Vincent Massol added a comment - Documented at http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Configuration#HSecuringGroovyScripts

          People

          • Assignee:
            Vincent Massol
            Reporter:
            Thomas Mortagne
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: