velocity-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Will Glass-Husain" <wgl...@forio.com>
Subject Re: using Velocity in an untrusted environment
Date Fri, 07 Apr 2006 02:08:23 GMT
Hi Ben,

You probably don't have an issue with #include though it depends how
you organize the templates.

In our case, I load templates specific to a given user via part of the
path, e.g. "/will/abc.htm".  Hence we needed an event handler to
decide if you have permission to include the files or not.  If you
don't indicate user specific info on the path you're likely ok.  It's
probably pretty obvious whether this is the case or not.

In regards to "unescaped HTML", do a Google search on "Cross-Site
Scripting".  Esentially, the issue is that if user A can insert text
that appears on User B's screen, you need to prevent that text from
including arbitrary HTML or JavaScript.  The easiest way to do this is
to convert all entities (e.g. "<" into &lt;).

I'll have to think about the rendering cost issue.  I agree with
Nathan in that I'm reluctant to add a lot of complexity to the core to
address this.  I suggest either putting such code in a custom plugin
(e.g. the ReferenceInsertEventHandler) that checks for resource
activity and throws a RuntimeException if appropriate, or adding such
a routine externally to Velocity in some type of thread handler. 
(e.g. it launches Velocity in a thread and kills the thread if it
takes too long -- is that possible?  I'm not a thread guru).

Best, WILL



On 4/6/06, Ben <benjamin@pcguy.org> wrote:
> Thanks Will, I appreciate your response.
>
> Two more questions though, in my project the templates are kept inside a
> MySQL database and are loaded by a custom class from there, does this mean I
> don't have to worry about the #include and the #parse loading another user's
> templates, since they only load them from a directory on the hard-drive?
>
> Also I dont' fully understand the problem of unescaped HTML inside the
> templates, what kind of issues can be expected from that in my case, where
> users are allowed to upload their own templates anyway, or it only applies
> in a case where they don't have permission to do this?
>
> I'll be happy to share my solution about interrupting the rendering process,
> if I come up with a generic way which can be applied to other projects
> besides mine. Ideally I would like this to be a function of Velocity itself,
> where for every operation it does it would assign some number, which would
> be the cost of that operation, and then the developer would have the ability
> to set the maximum cost, after which velocity would automatically interrupt
> the rendering process. Another option would be for it to save the starting
> date/time of the rendering process, and then every now and then to check how
> much time has passes, and if the time limit has expired to interrupt the
> rendering process. I am not sure I have sufficient understanding of the
> Velocity source code to do this though, can anybody who knows the Velocity
> code well tell me if any of these two options are feasable, and if yes, what
> class/classes would I need to modify for this?
>
> Thanks,
> Ben
>
> ----- Original Message -----
> From: "Will Glass-Husain" <wglass@forio.com>
> To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> Sent: Thursday, April 06, 2006 4:39 AM
> Subject: Re: using Velocity in an untrusted environment
>
>
> Hi Ben,
>
> I run a web site with some hundreds of users who upload their own
> Velocity templates.  It works pretty well.  We've tried to address
> most security-related issues, but so far we've just ignored the
> potential DenialOfService issue and haven't had any trouble.
>
> As far as the classloader patch goes, you can put it into a custom
> Uberspector and use it right now.  A little complicated, but it works.
>
> Some of the other items in the article have been fixed.  The current
> source control head contains an Event Handler which can automatically
> escape HTML.  There's also a new event handler that can be used to
> modify #include and #parse (say, to prevent one user from including
> files of another user).
>
> In Tomcat you can set up "catalina.policy" to restrict access to files
> outside the webapp using the Java security manager.  It takes a little
> trial and error to get this right.  Most third-party libraries (e.g.
> Velocity, Hibernate, etc.) require certain permissions and these are
> almost never documented.  I can share mine if that's helpful although
> it's pretty specific to my apps.
>
> Finally, you need to be very careful as to what you put in the
> context.  Any methods that allow access to files, databases and other
> resources are actively dangerous.
>
> WILL
>
> On 4/5/06, Nathan Bubna <nbubna@gmail.com> wrote:
> > Well, this is really more Will's area of expertise.  I have the luxury
> > of not letting users of my apps define their own templates.  So, i've
> > not had any need to use a JavaSecurityManager.
> >
> > The language in the article is a little unclear.  Version 1.6 has not
> > started development yet.  We are still tweaking 1.5 in our
> > collectively scarce free time.  It's more that the patch in question
> > has been put on the roadmap for 1.6.
> >
> > In the meantime, the info and references in
> > http://issues.apache.org/jira/browse/VELOCITY-179 should provide a
> > number of options for restricting classloader use in your user's
> > templates.
> >
> > As far as interrupting template processing...  i've been in this
> > community for about five years and i can't recall anyone else ever
> > asking for or needing this.  so, no, this is supported nor is it
> > scheduled to be.    i can't imagine that it would be difficult to
> > implement using Threads.  if you come up with something useful here,
> > you might consider sharing it with the community. :)
> >
> > On 4/5/06, Ben <benjamin@pcguy.org> wrote:
> > > Thanks, that is the page i read about this problem from before. It has a
> > > link to http://issues.apache.org/jira/browse/VELOCITY-179 which has the
> > > classloader patch. It aslo says the proposed patch has been accepted for
> > > velocity version 1.6, hence my question about the scheduled release date
> > > of
> > > that version.
> > >
> > > Also didn't see anywhere in that article about the ability to interrupt
> > > the
> > > rendering process after let's say 5 seconds so that a single user
> > > doesn't
> > > take up all resources on the server. Is that something which velocity
> > > currently supports/is cheduled to be supported in some future version,
> > > or do
> > > i have to built in that feature in my application, and if yes, can you
> > > please suggest the best route to do this? Is there an interrupt method
> > > in
> > > velocity which i can call after 5 sec, let's say, which will interrupt
> > > the
> > > rendering process?
> > >
> > > Thanks,
> > > Ben
> > >
> > > ----- Original Message -----
> > > From: "Nathan Bubna" <nbubna@gmail.com>
> > > To: "Velocity Users List" <velocity-user@jakarta.apache.org>
> > > Sent: Tuesday, April 04, 2006 2:59 PM
> > > Subject: Re: using Velocity in an untrusted environment
> > >
> > >
> > > http://wiki.apache.org/jakarta-velocity/BuildingSecureWebApplications
> > >
> > > On 4/4/06, Ben <benjamin@pcguy.org> wrote:
> > > > Hi all,
> > > >
> > > > I am thinking of using Velocity engine in an e-commerce platform,
> > > > where
> > > > the
> > > > users will be able to upload their own templates to customize the
> > > > layout
> > > > of
> > > > their store. I've read somewhere that Velocity has a built in security
> > > > flaw,
> > > > where peole could do things like AnyClass.getClassLoader() and use
> > > > that to
> > > > load any java class and basically do anything they want. I've also
> > > > read
> > > > about a patch being developed to address this issue which is scheduled
> > > > to
> > > > be
> > > > integrated into Velocity version 1.6
> > > >
> > > > I'm wondering, when is that version of velocity scheduled to come out,
> > > > and
> > > > are there any other security related issues i should watch out for in
> > > > my
> > > > scenario, where basically people who upload templates are untrusted
> > > > users.
> > > >
> > > > Also, does velocity have a built in timeout feature, where for example
> > > > if
> > > > any template takes more than 5 seconds to render, I'll be able to
> > > > interrupt
> > > > the rendering process? This feature is also important to me, as I
> > > > don't
> > > > want
> > > > any single user to tie up all system resources.
> > > >
> > > > Thanks,
> > > > Ben
> > > >
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> > > > For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: velocity-user-help@jakarta.apache.org
> >
> >
>
>
> --
> Forio Business Simulations
>
> Will Glass-Husain
> wglass@forio.com
> www.forio.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: velocity-user-help@jakarta.apache.org
>
>


--
Forio Business Simulations

Will Glass-Husain
wglass@forio.com
www.forio.com

---------------------------------------------------------------------
To unsubscribe, e-mail: velocity-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: velocity-user-help@jakarta.apache.org


Mime
View raw message