From notifications-return-5858-archive-asf-public=cust-asf.ponee.io@freemarker.apache.org Fri Jan 18 11:25:28 2019
Return-Path: Denial-of-Service (DoS) attacks: It's trivial to create
- templates that run practically forever (with a loop), or
- exhaust memory (by concatenating to a string in a loop).
- FreeMarker can't enforce CPU or memory usage limits, so this
- is something that has no solution on the
- FreeMarker-level. Data-model and wrapping
(
Configuration.setObjectWrapper
): The
data-model might gives access to the public Java API of some
objects that you have put into the data-model. By default, for
objects that aren't instances of a the bunch of specially
- handler types (String
,
+ handled types (String
,
Number
, Boolean
,
Date
, Map
,
List
, array, and a few others), their
- public Java API will be exposed. To avoid that, you have to
- construct the data-model so that it only exposes the things
- that are really necessary for the template. For that, you may
- want to use SimpleObjectWrapper
(via
- Configuration.setObjectWrapper
or the
+ public Java API will be exposed, including most methods
+ inherited from standard Java classes
+ (getClass()
, etc.). To avoid that, you have
+ to construct the data-model so that it only exposes the
+ members that are really necessary for the template. One
+ possibility is using SimpleObjectWrapper
+ (via Configuration.setObjectWrapper
or the
object_wrapper
setting) and then create the
data-model purely from Map
-s,
List
-s, Array
-s,
String
-s, Number
-s,
Boolean
-s and Date
-s.
- Or, you can implement your own extremely restrictive
- ObjectWrapper
, which for example could
- expose your POJO-s safely.ObjectWrapper
, which, for example, only
+ exposes those members of POJO-s that were explicitly marked to
+ be safe (opt-in approach).
Also, don't forget about the ?api
+ built-in, if you have enabled it (it's disabled by
+ default). While the Java API of Map
-s,
+ List
-s and similar container-like objects
+ is not directly exposed by most
+ ObjectWrapper
-s, so
+ someMap.someJavaMethod()
won't work, using
+ ?api
the template author can still get to
+ the Java API-s of these objects, like
+ someMap?api.someJavaMethod()
. But note that
+ the ObjectWrapper
is still in control, as
+ it decides what objects support ?api
, and
+ what will ?api
expose for them (it usually
+ exposes the same as for a generic POJO).
Last not least, some maybe aware of that the standard
+ object wrappers filters out some well known
+ "unsafe" methods, like
+ System.exit
. Do not ever rely on this as
+ your only line of defense, since it only blocks the methods
+ that's in a predefined list. Thus, for example, if a new Java
+ version adds a new problematic method, it won't be filtered
+ out.
TemplateClassResolver.ALLOWS_NOTHING_RESOLVER
.
Denial-of-Service (DoS) attacks: It's trivial to create + templates that run practically forever (with a loop), or + exhaust memory (by concatenating to a string in a loop). + FreeMarker can't enforce CPU or memory usage limits, so this + is something that has no solution on the + FreeMarker-level.
+