Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improved: Allow to use GroovyDsl in FlexibleStringExpander (OFBIZ-13133) #839

Open
wants to merge 10 commits into
base: trunk
Choose a base branch
from

Conversation

nmalin
Copy link
Contributor

@nmalin nmalin commented Oct 10, 2024

Second improvement on this functionality with increase the security by analyse each script to control the presence of potential code injection.

The regexp to control is a property: security.deniedScriptletsTokens.
If a script match the regexp, OFBiz raise in log an alert with the script and the script hash. The script is disabled and can't run.

If you have a safe script who is matched by the regexp, you can add the hash given by OFBiz on the property: security.allowedScriptletHashes

Second improvement on this functionality with increase the security by analyse each script to control the presence of potential code injection.

The regexp to control is a property: security.deniedScriptletsTokens.
If a script match the regexp, OFBiz raise in log an alert with the script and the script hash. The script is disabled and can't run.

If you have a safe script who is matched by the regexp, you can add the hash given by OFBiz on the property: security.allowedScriptletHashes
@nmalin nmalin requested a review from gilPts October 10, 2024 12:17

/**
* Load the list of script exception that we autorise to run despite the security risk
* @return Pattern init by the regExp security.deniedScriptletsTokens
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* @return Pattern init by the regExp security.deniedScriptletsTokens
* @return Pattern init by the regExp security.allowedScriptletHashes

Copy link

sonarcloud bot commented Oct 17, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants