Allowing System.exit call in Groovy scripts
456 views
Skip to first unread message
Arda Tugay
Jun 8, 2015, 10:25:09 AM6/8/15
to camunda-...@googlegroups.com
Hi All,
Last week I was trying out a System.exit call in a Groovy script to see what would happen, since we allow customers to write their own processes and deploy them on our Camunda BPM installation. Looks like making a System.exit call is capable of killing the application server (at least on Wildfly 8, would make sense that the behavior is the same on other app servers). Is this intended behavior? It seems to me like this makes it very easy for someone to perform malicious activity on the server. I cannot see a use case where someone would want a process to be able to kill the application server.
Thank you,
Arda
thorben....@camunda.com
Jun 9, 2015, 3:58:14 AM6/9/15
to camunda-...@googlegroups.com
Hi Arda,
In general, application servers can be configured with a security manager in place that is able to prevent such behavior. I am not familiar with how this works on Wildfly though. That said, Camunda BPM does not integrate a security manager so malicious behavior related to the platform like deleting deployments or disabling authorization checks cannot be avoided in that scenario out of the box.
I personally would not allow a party I don't trust to deploy applications to my server in the first place.
Best regards,
Thorben
In general, application servers can be configured with a security manager in place that is able to prevent such behavior. I am not familiar with how this works on Wildfly though. That said, Camunda BPM does not integrate a security manager so malicious behavior related to the platform like deleting deployments or disabling authorization checks cannot be avoided in that scenario out of the box.
I personally would not allow a party I don't trust to deploy applications to my server in the first place.
Best regards,
Thorben
Daniel Meyer
Jun 9, 2015, 4:30:22 AM6/9/15
to camunda-...@googlegroups.com
We should add some warnings to the docs, explaing the danger of allowing
non-trusted third parties to execute such scripts.
It could also be possible to use things like
http://groovy-sandbox.kohsuke.org/
for sandboxing the Groovy script execution.
That would be an interesting topic of research. In case someone is
interested in this.
Daniel
--
Camunda Technical Lead
Blog: http://blog.camunda.org/
Twitter: @meyerdan
non-trusted third parties to execute such scripts.
It could also be possible to use things like
http://groovy-sandbox.kohsuke.org/
for sandboxing the Groovy script execution.
That would be an interesting topic of research. In case someone is
interested in this.
Daniel
--
Camunda Technical Lead
Blog: http://blog.camunda.org/
Twitter: @meyerdan
Arda Tugay
Jun 9, 2015, 12:17:13 PM6/9/15
to camunda-...@googlegroups.com
Gothca. Makes sense if there is no built-in security manager. Making sure the behavior is intended.
I'll give the sandboxing a try once I have time.
Thank you,
Arda
Jaap Sperling
Jun 10, 2015, 11:08:12 AM6/10/15
to camunda-...@googlegroups.com
Yeah, it was one of the first things I thought of when I discovered that there was a ScriptTask that allows execution of really anything that groovy/javascript/Java can do. And System.exit is one of the smaller issues. How about opening a sockets, transfering local server data to a DropBox, etc etc. The sky's the limit.
Would be interesting to hear if anyone else has figured this to be a bit of an issue (or even has some working fix).
Jaap
Would be interesting to hear if anyone else has figured this to be a bit of an issue (or even has some working fix).
Jaap
Reply all
Reply to author
Forward
0 new messages