You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@velocity.apache.org by "Treague, Keith" <Ke...@merrillcorp.com> on 2010/03/30 22:59:08 UTC
Should I use velocity?
I'm looking for a templating engine that can take a set of data I give it, put it into an html template, and then I'll either return that to a web browser or send that out as an e-mail. The catch is I want my users to be able to edit the template itself.
My concern is if they are editing the template, is there any way they can create a malicious template that will execute malicious code on the server such as calling various services on the server to get unauthorized info or grant themselves additional access? If you can execute arbitrary java methods from a template I can't use it. Any input I'd appreciate!
(sorry if you get this twice, the first time I sent it I wasn't subscribed yet)
RE: Should I use velocity?
Posted by "Treague, Keith" <Ke...@merrillcorp.com>.
Very good stuff but I do still have some questions. The wiki page mentions my exact scenario in the "Working with Untrusted HTML Template Designers" section.
It refers to a patch to be able to restrict included templates using the #include and #parse which was to be released in version 1.5, and a patch to restrict the ability to call getClassLoader which was to be released in version 1.6. Did these make it into velocity? (wiki should probably be updated)
I also saw that Alexander said "Yes. User could execute arbitrary java methods from a template."
It sounds like if I create a simple bean, give only that to the velocity context, disable the "getClassLoader" method, and listen to include & parse events to restrict included templates, then I should be pretty secure to handle templates from external users. Is that correct?
Thank you all for the useful information.
-----Original Message-----
From: Nathan Bubna [mailto:nbubna@gmail.com]
Sent: Tuesday, March 30, 2010 4:29 PM
To: Velocity Users List
Subject: Re: Should I use velocity?
http://wiki.apache.org/velocity/BuildingSecureWebApplications
On Tue, Mar 30, 2010 at 1:59 PM, Treague, Keith
<Ke...@merrillcorp.com> wrote:
> I'm looking for a templating engine that can take a set of data I give it, put it into an html template, and then I'll either return that to a web browser or send that out as an e-mail. The catch is I want my users to be able to edit the template itself.
>
> My concern is if they are editing the template, is there any way they can create a malicious template that will execute malicious code on the server such as calling various services on the server to get unauthorized info or grant themselves additional access? If you can execute arbitrary java methods from a template I can't use it. Any input I'd appreciate!
>
> (sorry if you get this twice, the first time I sent it I wasn't subscribed yet)
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org
Re: Should I use velocity?
Posted by Nathan Bubna <nb...@gmail.com>.
http://wiki.apache.org/velocity/BuildingSecureWebApplications
On Tue, Mar 30, 2010 at 1:59 PM, Treague, Keith
<Ke...@merrillcorp.com> wrote:
> I'm looking for a templating engine that can take a set of data I give it, put it into an html template, and then I'll either return that to a web browser or send that out as an e-mail. The catch is I want my users to be able to edit the template itself.
>
> My concern is if they are editing the template, is there any way they can create a malicious template that will execute malicious code on the server such as calling various services on the server to get unauthorized info or grant themselves additional access? If you can execute arbitrary java methods from a template I can't use it. Any input I'd appreciate!
>
> (sorry if you get this twice, the first time I sent it I wasn't subscribed yet)
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org
Re: Should I use velocity?
Posted by Adrian Tarau <ad...@gmail.com>.
Hi Keith,
Just do not publish anything dangerous in your context and you are safe,
push in only immutable objects.
On 03/30/2010 05:02 PM, Alexander Krasnukhin wrote:
> Yes. User could execute arbitrary java methods from a template.
>
> On 31 March 2010 03:59, Treague, Keith<Ke...@merrillcorp.com>wrote:
>
>
>> I'm looking for a templating engine that can take a set of data I give it,
>> put it into an html template, and then I'll either return that to a web
>> browser or send that out as an e-mail. The catch is I want my users to be
>> able to edit the template itself.
>>
>> My concern is if they are editing the template, is there any way they can
>> create a malicious template that will execute malicious code on the server
>> such as calling various services on the server to get unauthorized info or
>> grant themselves additional access? If you can execute arbitrary java
>> methods from a template I can't use it. Any input I'd appreciate!
>>
>> (sorry if you get this twice, the first time I sent it I wasn't subscribed
>> yet)
>>
>>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org
Re: Should I use velocity?
Posted by jian chen <ch...@gmail.com>.
Hi, Keith,
I think what you mentioned should be ok. Looking at your scenario again, I
think you probably just need to pass the data wrapped in objects, something
like a DTO (data transfer objects). So, just getter methods for the object,
that's sufficient.
Cheers,
Jian
SimpleWiki in Java and Velocity
http://www.jiansnet.com/services/simplewiki.html
On Tue, Mar 30, 2010 at 2:18 PM, ChadDavis <ch...@gmail.com>wrote:
> On Tue, Mar 30, 2010 at 3:11 PM, jian chen <ch...@gmail.com> wrote:
> > Sounds like a perfect match for Velocity template engine.
> >
> > I guess you want to make sure the objects passed into the template won't
> > have any methods that the user would execute that could cause damage.
> >
>
> Are there any secrets here? Or is it as simple as:
>
> 1) only objects that are put in context
> 2) only public methods
> 3) anything else?
>
>
Re: Should I use velocity?
Posted by ChadDavis <ch...@gmail.com>.
On Tue, Mar 30, 2010 at 3:11 PM, jian chen <ch...@gmail.com> wrote:
> Sounds like a perfect match for Velocity template engine.
>
> I guess you want to make sure the objects passed into the template won't
> have any methods that the user would execute that could cause damage.
>
Are there any secrets here? Or is it as simple as:
1) only objects that are put in context
2) only public methods
3) anything else?
> But, overall, I'd recommend Velocity for your purpose.
>
> Jian
> SimpleWiki in Java and Velocity
> http://www.jiansnet.com/services/simplewiki.html
>
>
> On Tue, Mar 30, 2010 at 2:02 PM, Alexander Krasnukhin <the.malkolm@gmail.com
>> wrote:
>
>> Yes. User could execute arbitrary java methods from a template.
>>
>> On 31 March 2010 03:59, Treague, Keith <Keith.Treague@merrillcorp.com
>> >wrote:
>>
>> > I'm looking for a templating engine that can take a set of data I give
>> it,
>> > put it into an html template, and then I'll either return that to a web
>> > browser or send that out as an e-mail. The catch is I want my users to be
>> > able to edit the template itself.
>> >
>> > My concern is if they are editing the template, is there any way they can
>> > create a malicious template that will execute malicious code on the
>> server
>> > such as calling various services on the server to get unauthorized info
>> or
>> > grant themselves additional access? If you can execute arbitrary java
>> > methods from a template I can't use it. Any input I'd appreciate!
>> >
>> > (sorry if you get this twice, the first time I sent it I wasn't
>> subscribed
>> > yet)
>> >
>>
>>
>>
>> --
>> Regards,
>> Alexander
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org
Re: Should I use velocity?
Posted by jian chen <ch...@gmail.com>.
Sounds like a perfect match for Velocity template engine.
I guess you want to make sure the objects passed into the template won't
have any methods that the user would execute that could cause damage.
But, overall, I'd recommend Velocity for your purpose.
Jian
SimpleWiki in Java and Velocity
http://www.jiansnet.com/services/simplewiki.html
On Tue, Mar 30, 2010 at 2:02 PM, Alexander Krasnukhin <the.malkolm@gmail.com
> wrote:
> Yes. User could execute arbitrary java methods from a template.
>
> On 31 March 2010 03:59, Treague, Keith <Keith.Treague@merrillcorp.com
> >wrote:
>
> > I'm looking for a templating engine that can take a set of data I give
> it,
> > put it into an html template, and then I'll either return that to a web
> > browser or send that out as an e-mail. The catch is I want my users to be
> > able to edit the template itself.
> >
> > My concern is if they are editing the template, is there any way they can
> > create a malicious template that will execute malicious code on the
> server
> > such as calling various services on the server to get unauthorized info
> or
> > grant themselves additional access? If you can execute arbitrary java
> > methods from a template I can't use it. Any input I'd appreciate!
> >
> > (sorry if you get this twice, the first time I sent it I wasn't
> subscribed
> > yet)
> >
>
>
>
> --
> Regards,
> Alexander
>
Re: Should I use velocity?
Posted by Will Glass-Husain <wg...@gmail.com>.
Hi,
All of this only applies if you have untrusted users uploading templates.
If you are writing templates, no problem. But if other users upload
templates to your system, you need to be careful.
Template authors may call methods on any object you put in the context.
This is very convenient but means you have to be careful about your
objects. Best practice is to wrap objects and provide only Get methods for
the specific properties. I think the SecurityManager advice is overkill.
You may see references in that article or in the list to an older problem in
which you could call ClassLoader related methods, instantiate a class, then
call arbitrary methods on arbitrary objects. That bug has been long fixed
with the introduction of the SecureIntrospector which restricts class loader
related method calls.
WILL
On Wed, Mar 31, 2010 at 7:31 AM, sebb <se...@gmail.com> wrote:
> The Wiki page
>
> http://wiki.apache.org/velocity/BuildingSecureWebApplications
>
> has some good advice:
>
> "It's good practice to configure a Java Security Manager to restrict
> access to files (outside of the web tree and template paths) and
> dangerous methods such as System.exit() and getClassLoader. "
>
>
> On 31/03/2010, Alexander Krasnukhin <th...@gmail.com> wrote:
> > Yep, I did mean invoke any public method for any object in context. So do
> as
> > somebody already said - pass immutable objects to prevent malicious
> actions
> > from custom template e.g. it isn't a good decision to pass 'alive'
> business
> > object as is to Velocity context.
> >
> >
> > On 31 March 2010 05:25, ChadDavis <ch...@gmail.com> wrote:
> >
> > > On Tue, Mar 30, 2010 at 4:22 PM, Treague, Keith
> > > <Ke...@merrillcorp.com> wrote:
> > > > Can you please elaborate how?
> > > >
> > >
> > > I don't think he means arbitrary exactly, but the Velocity Template
> > > Language allows you to invoke methods, like myObect.myMethod(). So,
> > > any object in the velocity context is subject to any of it's public
> > > methods being invoked.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
> > > For additional commands, e-mail: user-help@velocity.apache.org
> > >
> > >
> >
> >
> >
> > --
> > Regards,
> >
> > Alexander
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
> For additional commands, e-mail: user-help@velocity.apache.org
>
>
Re: Should I use velocity?
Posted by sebb <se...@gmail.com>.
The Wiki page
http://wiki.apache.org/velocity/BuildingSecureWebApplications
has some good advice:
"It's good practice to configure a Java Security Manager to restrict
access to files (outside of the web tree and template paths) and
dangerous methods such as System.exit() and getClassLoader. "
On 31/03/2010, Alexander Krasnukhin <th...@gmail.com> wrote:
> Yep, I did mean invoke any public method for any object in context. So do as
> somebody already said - pass immutable objects to prevent malicious actions
> from custom template e.g. it isn't a good decision to pass 'alive' business
> object as is to Velocity context.
>
>
> On 31 March 2010 05:25, ChadDavis <ch...@gmail.com> wrote:
>
> > On Tue, Mar 30, 2010 at 4:22 PM, Treague, Keith
> > <Ke...@merrillcorp.com> wrote:
> > > Can you please elaborate how?
> > >
> >
> > I don't think he means arbitrary exactly, but the Velocity Template
> > Language allows you to invoke methods, like myObect.myMethod(). So,
> > any object in the velocity context is subject to any of it's public
> > methods being invoked.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
> > For additional commands, e-mail: user-help@velocity.apache.org
> >
> >
>
>
>
> --
> Regards,
>
> Alexander
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org
Re: Should I use velocity?
Posted by Alexander Krasnukhin <th...@gmail.com>.
Yep, I did mean invoke any public method for any object in context. So do as
somebody already said - pass immutable objects to prevent malicious actions
from custom template e.g. it isn't a good decision to pass 'alive' business
object as is to Velocity context.
On 31 March 2010 05:25, ChadDavis <ch...@gmail.com> wrote:
> On Tue, Mar 30, 2010 at 4:22 PM, Treague, Keith
> <Ke...@merrillcorp.com> wrote:
> > Can you please elaborate how?
> >
>
> I don't think he means arbitrary exactly, but the Velocity Template
> Language allows you to invoke methods, like myObect.myMethod(). So,
> any object in the velocity context is subject to any of it's public
> methods being invoked.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
> For additional commands, e-mail: user-help@velocity.apache.org
>
>
--
Regards,
Alexander
Re: Should I use velocity?
Posted by ChadDavis <ch...@gmail.com>.
On Tue, Mar 30, 2010 at 4:22 PM, Treague, Keith
<Ke...@merrillcorp.com> wrote:
> Can you please elaborate how?
>
I don't think he means arbitrary exactly, but the Velocity Template
Language allows you to invoke methods, like myObect.myMethod(). So,
any object in the velocity context is subject to any of it's public
methods being invoked.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org
RE: Should I use velocity?
Posted by "Treague, Keith" <Ke...@merrillcorp.com>.
Can you please elaborate how?
-----Original Message-----
From: Alexander Krasnukhin [mailto:the.malkolm@gmail.com]
Sent: Tuesday, March 30, 2010 4:02 PM
To: Velocity Users List
Subject: Re: Should I use velocity?
Yes. User could execute arbitrary java methods from a template.
On 31 March 2010 03:59, Treague, Keith <Ke...@merrillcorp.com>wrote:
> I'm looking for a templating engine that can take a set of data I give it,
> put it into an html template, and then I'll either return that to a web
> browser or send that out as an e-mail. The catch is I want my users to be
> able to edit the template itself.
>
> My concern is if they are editing the template, is there any way they can
> create a malicious template that will execute malicious code on the server
> such as calling various services on the server to get unauthorized info or
> grant themselves additional access? If you can execute arbitrary java
> methods from a template I can't use it. Any input I'd appreciate!
>
> (sorry if you get this twice, the first time I sent it I wasn't subscribed
> yet)
>
--
Regards,
Alexander
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@velocity.apache.org
For additional commands, e-mail: user-help@velocity.apache.org
Re: Should I use velocity?
Posted by Alexander Krasnukhin <th...@gmail.com>.
Yes. User could execute arbitrary java methods from a template.
On 31 March 2010 03:59, Treague, Keith <Ke...@merrillcorp.com>wrote:
> I'm looking for a templating engine that can take a set of data I give it,
> put it into an html template, and then I'll either return that to a web
> browser or send that out as an e-mail. The catch is I want my users to be
> able to edit the template itself.
>
> My concern is if they are editing the template, is there any way they can
> create a malicious template that will execute malicious code on the server
> such as calling various services on the server to get unauthorized info or
> grant themselves additional access? If you can execute arbitrary java
> methods from a template I can't use it. Any input I'd appreciate!
>
> (sorry if you get this twice, the first time I sent it I wasn't subscribed
> yet)
>
--
Regards,
Alexander