Security issues about thymeleaf-itutorial HOT 14 CLOSED

We should address these issues if we finally use CloudFoundry instead of GoogleAppEngine.

from thymeleaf-itutorial.

Does Cloud Foundry allow complete execution of any arbitrary expression on the Java Runtime classes?

from thymeleaf-itutorial.

Yes... I've just tried

      <span th:text="${T(java.lang.System).exit(0)}">...</span>

and then the website returns a 404 response.

from thymeleaf-itutorial.

Wow. IMHO, that is a Cloud Foundry issue... maybe reporting it to them could be a good idea?

from thymeleaf-itutorial.

You can do that?! Hahaha :D

from thymeleaf-itutorial.

The concept of CloudFoundry is quite different from GAE. GAE gives you a restricted runtime enviroment whilst CF gives you an Amazon AWS instance for you.
Then, in your Amazon AWS instance you install a pre-packaged Tomcat server and deploy your app in your Tomcat (you do that with just one command).
So I assume it is your responsability to manage your Tomcat instance properly.

from thymeleaf-itutorial.

Understood. Hmm... and does CloudFoundry allow you to configure your own SecurityManager for that Tomcat instance?

In fact, I still think CF should add such SecurityManager by default. CF is PaaS, not IaaS, so it should offer you these things, IMHO. If you wanted an IaaS service, then you should just use AWS directly...

from thymeleaf-itutorial.

I suppose you can do anything.

I'm using the default "java buildpack"

• http://docs.cloudfoundry.com/docs/using/deploying-apps/buildpacks.html

but you can create your "custom buildpacks" (although I don't know if it is easy).

from thymeleaf-itutorial.

Well... given we still don't know whether the CF deployment would be right for us in terms of billing (compared to GAE), I would try to avoid spending too much effort on adapting the application to a deployment we cannot know for sure we'll still be using in 2-month's time.

So.. @jmiguelsamper could you please create a ticket at CF's JIRA explaining our situation and giving them detail about why we need our users to execute any expression, but protect the system from things like the above?... at least that way we'll be able to have some "official explanation" about how this scenario should be handled...

To be honest, this whole thing makes it look like GAE is much more suitable for our tutorial, at least for now... :-(

from thymeleaf-itutorial.

Ok, I read a bit more the documentation, tried the Tomcat's security manager in local and finally posted a question in the CF's official forums:

• http://cloudfoundry.zendesk.com/entries/25715066-Enabling-Tomcat-s-security-manager

from thymeleaf-itutorial.

Got response from CF. If we want to enable Tomcat's security manager we have to build our custom java-buildpack.

from thymeleaf-itutorial.

And that looks like a lot of work, right?

from thymeleaf-itutorial.

Yeah... the instructions are quite clear:

• Fork java-buildpack
• Modify tomcat spec to add -security parameter to Tomcat's start command.
• Provide a custom catalina.policy file with proper permissions (default catalina.policy does not allow Spring framework to start).

from thymeleaf-itutorial.

This was finally solved implementing a org.springframework.expression.TypeLocator which controls the expressions that can be executed inside a SpEL expression.

from thymeleaf-itutorial.