velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben <benja...@pcguy.org>
Subject Re: using Velocity in an untrusted environment
Date Thu, 06 Apr 2006 22:22:42 GMT
Thanks Will, I appreciate your response.

Two more questions though, in my project the templates are kept inside a 
MySQL database and are loaded by a custom class from there, does this mean I 
don't have to worry about the #include and the #parse loading another user's 
templates, since they only load them from a directory on the hard-drive?

Also I dont' fully understand the problem of unescaped HTML inside the 
templates, what kind of issues can be expected from that in my case, where 
users are allowed to upload their own templates anyway, or it only applies 
in a case where they don't have permission to do this?

I'll be happy to share my solution about interrupting the rendering process, 
if I come up with a generic way which can be applied to other projects 
besides mine. Ideally I would like this to be a function of Velocity itself, 
where for every operation it does it would assign some number, which would 
be the cost of that operation, and then the developer would have the ability 
to set the maximum cost, after which velocity would automatically interrupt 
the rendering process. Another option would be for it to save the starting 
date/time of the rendering process, and then every now and then to check how 
much time has passes, and if the time limit has expired to interrupt the 
rendering process. I am not sure I have sufficient understanding of the 
Velocity source code to do this though, can anybody who knows the Velocity 
code well tell me if any of these two options are feasable, and if yes, what 
class/classes would I need to modify for this?

Thanks,
Ben

----- Original Message ----- 
From: "Will Glass-Husain" <wglass@forio.com>
To: "Velocity Users List" <velocity-user@jakarta.apache.org>
Sent: Thursday, April 06, 2006 4:39 AM
Subject: Re: using Velocity in an untrusted environment


Hi Ben,

I run a web site with some hundreds of users who upload their own
Velocity templates.  It works pretty well.  We've tried to address
most security-related issues, but so far we've just ignored the
potential DenialOfService issue and haven't had any trouble.

As far as the classloader patch goes, you can put it into a custom
Uberspector and use it right now.  A little complicated, but it works.

Some of the other items in the article have been fixed.  The current
source control head contains an Event Handler which can automatically
escape HTML.  There's also a new event handler that can be used to
modify #include and #parse (say, to prevent one user from including
files of another user).

In Tomcat you can set up "catalina.policy" to restrict access to files
outside the webapp using the Java security manager.  It takes a little
trial and error to get this right.  Most third-party libraries (e.g.
Velocity, Hibernate, etc.) require certain permissions and these are
almost never documented.  I can share mine if that's helpful although
it's pretty specific to my apps.

Finally, you need to be very careful as to what you put in the
context.  Any methods that allow access to files, databases and other
resources are actively dangerous.

WILL

On 4/5/06, Nathan Bubna <nbubna@gmail.com> wrote:
> Well, this is really more Will's area of expertise.  I have the luxury
> of not letting users of my apps define their own templates.  So, i've
> not had any need to use a JavaSecurityManager.
>
> The language in the article is a little unclear.  Version 1.6 has not
> started development yet.  We are still tweaking 1.5 in our
> collectively scarce free time.  It's more that the patch in question
> has been put on the roadmap for 1.6.
>
> In the meantime, the info and references in
> http://issues.apache.org/jira/browse/VELOCITY-179 should provide a
> number of options for restricting classloader use in your user's
> templates.
>
> As far as interrupting template processing...  i've been in this
> community for about five years and i can't recall anyone else ever
> asking for or needing this.  so, no, this is supported nor is it
> scheduled to be.    i can't imagine that it would be difficult to
> implement using Threads.  if you come up with something useful here,
> you might consider sharing it with the community. :)
>
> On 4/5/06, Ben <benjamin@pcguy.org> wrote:
> > Thanks, that is the page i read about this problem from before. It has a
> > link to http://issues.apache.org/jira/browse/VELOCITY-179 which has the
> > classloader patch. It aslo says the proposed patch has been accepted for
> > velocity version 1.6, hence my question about the scheduled release date 
> > of
> > that version.
> >
> > Also didn't see anywhere in that article about the ability to interrupt 
> > the
> > rendering process after let's say 5 seconds so that a single user 
> > doesn't
> > take up all resources on the server. Is that something which velocity
> > currently supports/is cheduled to be supported in some future version, 
> > or do
> > i have to built in that feature in my application, and if yes, can you
> > please suggest the best route to do this? Is there an interrupt method 
> > in
> > velocity which i can call after 5 sec, let's say, which will interrupt 
> > the
> > rendering process?
> >
> > Thanks,
> > Ben
> >
> > ----- Original Message -----
> > From: "Nathan Bubna" <nbubna@gmail.com>
> > To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> > Sent: Tuesday, April 04, 2006 2:59 PM
> > Subject: Re: using Velocity in an untrusted environment
> >
> >
> > http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
> >
> > On 4/4/06, Ben <benjamin@pcguy.org> wrote:
> > > Hi all,
> > >
> > > I am thinking of using Velocity engine in an e-commerce platform, 
> > > where
> > > the
> > > users will be able to upload their own templates to customize the 
> > > layout
> > > of
> > > their store. I've read somewhere that Velocity has a built in security
> > > flaw,
> > > where peole could do things like AnyClass.getClassLoader() and use 
> > > that to
> > > load any java class and basically do anything they want. I've also 
> > > read
> > > about a patch being developed to address this issue which is scheduled 
> > > to
> > > be
> > > integrated into Velocity version 1.6
> > >
> > > I'm wondering, when is that version of velocity scheduled to come out, 
> > > and
> > > are there any other security related issues i should watch out for in 
> > > my
> > > scenario, where basically people who upload templates are untrusted 
> > > users.
> > >
> > > Also, does velocity have a built in timeout feature, where for example 
> > > if
> > > any template takes more than 5 seconds to render, I'll be able to
> > > interrupt
> > > the rendering process? This feature is also important to me, as I 
> > > don't
> > > want
> > > any single user to tie up all system resources.
> > >
> > > Thanks,
> > > Ben
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>


--
Forio Business Simulations

Will Glass-Husain
wglass@forio.com
www.forio.com

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message