XWiki Platform

Allow using Groovy scripts without Programming Rights

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.8.4, 1.9
  • Fix Version/s: 4.1-milestone-1
  • Component/s: Groovy
  • Labels:
    None
  • Tests:
    Unit
  • Difficulty:
    Unknown
  • Similar issues:
    XWIKI-7756Impossible to execute request with query manager on another wiki without programming right
    XWIKI-8064Don't protect objects returned by the API when the script has programming right
    XWIKI-2144Can't search in another wiki without programming rights
    XWIKI-1133New Groovy scripted authentication service
    XWIKI-5041Allow script authors to load and save documents in their own security context, not the user's.
    XWIKI-5696SharePage doesn't work without programming rights
    XWIKI-3525Allow Programming Rights to be checked on the current user when no context document is set

Issue Links

depends on

New Feature - A new feature of the product, which has yet to be developed. XWIKI-7755 Add ability to use Compilation Customizers in the Groovy Macro

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct and has been pushed to production. Issues which are not closed can be reopened.

Improvement - An improvement or enhancement to an existing feature or task. XWIKI-7769 Allow Script Macros to customize their security policy for deciding when they can execute

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct and has been pushed to production. Issues which are not closed can be reopened.
is duplicated by

Improvement - An improvement or enhancement to an existing feature or task. XWIKI-42 Groovy Security Manager

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct and has been pushed to production. Issues which are not closed can be reopened.
is related to

New Feature - A new feature of the product, which has yet to be developed. XWIKI-7759 Prevents System.exit() calls in Groovy scripts from stopping the JVM

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct and has been pushed to production. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Vincent Massol added a comment -

Why not simply create a Security Manager?
http://java.sun.com/j2se/1.5.0/docs/api/java/lang/SecurityManager.html

Show
Vincent Massol added a comment - Why not simply create a Security Manager? http://java.sun.com/j2se/1.5.0/docs/api/java/lang/SecurityManager.html
Hide
Permalink
Vincent Massol added a comment -

See also http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html

Show
Vincent Massol added a comment - See also http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html
Hide
Permalink
Thomas Mortagne added a comment - - edited

Because a Security Manager will not apply only on script but also on what script is calling

Show
Thomas Mortagne added a comment - - edited Because a Security Manager will not apply only on script but also on what script is calling
Hide
Permalink
Vincent Massol added a comment -

What do we want to protect:

  • no file access (this should be the default - we need to fix all places where we use files)
  • calls to privileged apis must check for programming rights (checks done at the java api level)

Anything else to protect?

  • Do we want to forbid using reflection and constructing classes using Class.forName or ClassLoader?
  • Do we want to forbid using Threads?
Show
Vincent Massol added a comment - What do we want to protect: no file access (this should be the default - we need to fix all places where we use files) calls to privileged apis must check for programming rights (checks done at the java api level) Anything else to protect? Do we want to forbid using reflection and constructing classes using Class.forName or ClassLoader? Do we want to forbid using Threads?
Hide
Permalink
Jerome Velociter added a comment -

calls to System.*

Show
Jerome Velociter added a comment - calls to System.*
Hide
Permalink
Vincent Massol added a comment -
  • We need to protect against calling java libs, i.e. anything not in the JDK (users must only use the variables bound in the script context)
  • no Threads
  • no Reflection to create objects
Show
Vincent Massol added a comment - We need to protect against calling java libs, i.e. anything not in the JDK (users must only use the variables bound in the script context) no Threads no Reflection to create objects
Hide
Permalink
Vincent Massol added a comment -

Pointers for implementation (from Guillaume Laforge):

Show
Vincent Massol added a comment - Pointers for implementation (from Guillaume Laforge): Check "Secure AST Customizer" (avail on Slideshare) https://github.com/groovy/groovy-core/blob/master/src/examples/groovyShell/ArithmeticShell.groovy https://github.com/groovy/groovy-core/blob/master/src/examples/groovyShell/ArithmeticShellTest.groovy Useful customizer: Import Customizer would allow to inject imports so that we can automatically inject xwiki imports by default https://github.com/groovy/groovy-core/blob/master/src/test/org/codehaus/groovy/control/customizers/ImportCustomizerTest.groovy Pass CompilerConfiguration to our GroovyClassLoader instance AST Transformation Customizer allows to inject AST transformations. Would allow us to inject @TimedInterrupt, @Threadinterrupt or @CustomInterrupt (allow to stop a script execution after a certain time, after the thread is interrupted or use our own criteria).
Hide
Permalink
Vincent Massol added a comment -

We're getting closer!

See XCOMMONS-153 and XWIKI-7755

Show
Vincent Massol added a comment - We're getting closer! See XCOMMONS-153 and XWIKI-7755
Hide
Permalink
Vincent Massol added a comment -

Start of a very first implementation done as part of XWIKI-7759

Show
Vincent Massol added a comment - Start of a very first implementation done as part of XWIKI-7759
Hide
Permalink
Vincent Massol added a comment -

We can list stuff we want to forbid:

  • Executing System.exit() Actually best might be to forbid calling all System methods.
  • No file access
  • Don't create Threads
  • Forbid calling non JDK libs, including XWiki libs.
  • etc...

But I think it's much better to list things we want to allow (whitelist) since it's safer:

  • XWiki APIs:
    • com.xpn.xwiki.api package
    • Script Services are bound in the context so no need to have any rule on that
  • java.lang

And then slowly add more safe stuff when the use cases are found. I'm going to start with this.

Show
Vincent Massol added a comment - We can list stuff we want to forbid: Executing System.exit() Actually best might be to forbid calling all System methods. No file access Don't create Threads Forbid calling non JDK libs, including XWiki libs. etc... But I think it's much better to list things we want to allow (whitelist) since it's safer: XWiki APIs: com.xpn.xwiki.api package Script Services are bound in the context so no need to have any rule on that java.lang And then slowly add more safe stuff when the use cases are found. I'm going to start with this.
Hide
Permalink
Vincent Massol added a comment -

First version done! It's very basic ATM and allows almost nothing... We'll work on it progressively from now on to slowly open up allowed stuff.

To use this:

  • Add in xwiki.properties: 
    groovy.compilationCustomizers=secure
Show
Vincent Massol added a comment - First version done! It's very basic ATM and allows almost nothing... We'll work on it progressively from now on to slowly open up allowed stuff. To use this: Add in xwiki.properties: groovy.compilationCustomizers=secure
Hide
Permalink
Vincent Massol added a comment -

Documented at http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Configuration#HSecuringGroovyScripts

Show
Vincent Massol added a comment - Documented at http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Configuration#HSecuringGroovyScripts

People

  • Assignee:
    Vincent Massol
    Reporter:
    Thomas Mortagne
Vote (0)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved:
    Date of First Response: