topic incredible security hole with scheduler in Alfresco Archive https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299356#M252486 <HTML><HEAD></HEAD><BODY><SPAN>When running script actions launched by alfresco scheduler, I got the following behaviour (5.0.d or 5.1.e):</SPAN><BR /><SPAN>- scheduler run as 'System' or 'admin' (same results), executes js script stored in repo folder 'Scheduled Actions'</SPAN><BR /><SPAN>- this script create/move/delete documents</SPAN><BR /><SPAN>- documents created or moved have arbitrary 'owner' or 'modifiedBy' properties</SPAN><BR /><SPAN>- documents deleted appear in arbitrary user's trash ( -&gt; user gains access to content he had no permission on initially)</SPAN><BR /><BR /><SPAN>Consequences: </SPAN><BR /><SPAN>- any users may become owner-deletors of any content created/moved/deleted by this script, executed by admin/system. </SPAN><BR /><SPAN>- Users ask me: why this document is owned by 'john', he has no access to this site…….</SPAN><BR /><BR /><SPAN>It seems that this 'arbitrary user' is the last logged in user…..</SPAN><BR /><SPAN>This is very easy to reproduce, you just have write a js script that:</SPAN><BR /><SPAN>- create log file in any site</SPAN><BR /><SPAN>- update it each times it runs</SPAN><BR /><SPAN>you'll see that the cm:modifier becomes any arbitrary user……</SPAN><BR /><BR /><SPAN>one question : How is it possible ??? did somebody face the same kind of issue ?</SPAN><BR /><BR /><SPAN>Scheduled-action-service-context.xml:</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />&lt;?xml version='1.0' encoding='UTF-8'?&gt;<BR />&lt;!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' '<A href="http://www.springframework.org/dtd/spring-beans.dtd" rel="nofollow noopener noreferrer">http://www.springframework.org/dtd/spring-beans.dtd</A>'&gt;<BR /><BR />&lt;beans&gt;<BR />&nbsp;&nbsp;&nbsp; <BR />&nbsp;&nbsp;&nbsp; &lt;!–<BR />&nbsp;&nbsp;&nbsp; Define the model factory used to generate object models suitable for use with freemarker templates. <BR />&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;bean id="templateActionModelFactory" class="org.alfresco.repo.action.scheduled.FreeMarkerWithLuceneExtensionsModelFactory"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="serviceRegistry"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ref bean="ServiceRegistry"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;/bean&gt;<BR />&nbsp;&nbsp;&nbsp; <BR />&nbsp;&nbsp;&nbsp;&lt;bean id="runScriptActionTestJScript" class="org.alfresco.repo.action.scheduled.SimpleTemplateActionDefinition"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;property name="actionName"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;value&gt;script&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;property name="parameterTemplates"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;map&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;entry&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;key&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;value&gt;script-ref&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/key&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;value&gt;\$\{selectSingleNode('workspace://SpacesStore', 'fts-alfresco', 'PATH:"/app:company_home/app:dictionary/cm:Scheduled_x0020_Actions/cm:myTestScript.js"' )\}&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/entry&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/map&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;property name="templateActionModelFactory"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ref bean="templateActionModelFactory"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;property name="dictionaryService"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ref bean="DictionaryService"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;property name="actionService"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ref bean="ActionService"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;property name="templateService"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ref bean="TemplateService"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&lt;/bean&gt;<BR />&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp; &lt;bean id="runtestScheduleEveryOneMinutes" class="org.alfresco.repo.action.scheduled.CronScheduledQueryBasedTemplateActionDefinition"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="transactionMode"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;UNTIL_FIRST_FAILURE&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;!–value&gt;ISOLATED_TRANSACTIONS&lt;/value–&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="compensatingActionMode"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;IGNORE&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="searchService"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ref bean="SearchService"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="templateService"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ref bean="TemplateService"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="queryLanguage"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;fts-alfresco&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="stores"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;list&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;workspace://SpacesStore&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/list&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– Find all nodes that do not have the aspect –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="queryTemplate"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;PATH:"/app:company_home/st:sites/cm:mySite/cm:documentLibrary/cm:_Inbox"&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="cronExpression"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;0 0/15 * * * ?&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="jobName"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;TestJScriptJobName&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="jobGroup"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;TestJScriptJobGroup&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="triggerName"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;TestJScriptTriggerName&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="triggerGroup"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;TestJScriptTriggerGroup&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="scheduler"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ref bean="schedulerFactory"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="actionService"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ref bean="ActionService"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="templateActionModelFactory"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ref bean="templateActionModelFactory"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="templateActionDefinition"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ref bean="runScriptActionTestJScript"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="transactionService"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ref bean="TransactionService"/&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="runAsUser"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;System&lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!–value&gt;admin&lt;/value–&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />&nbsp;&nbsp;&nbsp; &lt;/bean&gt;<BR />&nbsp;&nbsp;&nbsp;<BR />&lt;/beans&gt;<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /></BODY></HTML> Fri, 03 Jun 2016 09:07:21 GMT vincent-kali 2016-06-03T09:07:21Z incredible security hole with scheduler https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299356#M252486 When running script actions launched by alfresco scheduler, I got the following behaviour (5.0.d or 5.1.e):- scheduler run as 'System' or 'admin' (same results), executes js script stored in repo folder 'Scheduled Actions'- this script create/move/delete documents- documents created or moved have ar Fri, 03 Jun 2016 09:07:21 GMT https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299356#M252486 vincent-kali 2016-06-03T09:07:21Z Re: incredible security hole with scheduler https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299357#M252487 <HTML><HEAD></HEAD><BODY><SPAN>Hi,</SPAN><BR /><BR /><SPAN>Out of interest, can you include the content of the script you're running (/app:company_home/app:dictionary/cm<img id="smileyfrustrated" class="emoticon emoticon-smileyfrustrated" src="https://connect.hyland.com/i/smilies/16x16_smiley-frustrated.png" alt="Smiley Frustrated" title="Smiley Frustrated" />cheduled_x0020_Actions/cm:myTestScript.js) ?</SPAN><BR /><BR /><SPAN>Can you also outline how many files exist beneath /app:company_home/st:sites/cm:mySite/cm:documentLibrary/cm:_Inbox and whether the arbitrary cm:modifier property values you're seeing correspond to the modifiers/owners of these files?&nbsp; The queryTemplate you've specified will run your script for each of the nodes that exist underneath the cm:_Inbox path, so it would be good to see if this has a bearing here</SPAN><BR /><BR /><SPAN>Thanks</SPAN><BR /><BR /><SPAN>Steven</SPAN><BR /><BR /></BODY></HTML> Sat, 04 Jun 2016 23:48:37 GMT https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299357#M252487 steven_okennedy 2016-06-04T23:48:37Z Re: incredible security hole with scheduler https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299358#M252488 <HTML><HEAD></HEAD><BODY><SPAN>Hi steven,</SPAN><BR /><SPAN>The whole process is aimed to publish invoices to a Customer portal.</SPAN><BR /><SPAN>All Customer invoices from ERP are pushed into 'Inbox'. The scheduler run the script which is parsing the folder content, and takes actions for each child document (transform, classify, extract content, add aspect, manage permissions, move files….). I can't put all the script here (very big script), but below is the main logic.</SPAN><BR /><SPAN>Script is run as either System or admin user by the scheduler, and I get the following:</SPAN><BR /><SPAN>- for moved invoices: cm:modifier is replaced by an arbitrary user (any user currently authenticated against alfresco, I didn't understand any rule, could be the last logged in user). cm:creator is preserved, and no cm<img id="smileysurprised" class="emoticon emoticon-smileysurprised" src="https://connect.hyland.com/i/smilies/16x16_smiley-surprised.png" alt="Smiley Surprised" title="Smiley Surprised" />wner defined (ownable aspect no set).</SPAN><BR /><SPAN>- for deleted temporary files (mainly transformed document), following properties are set to an arbitrary user :</SPAN><BR /><SPAN>cm<img id="smileysurprised" class="emoticon emoticon-smileysurprised" src="https://connect.hyland.com/i/smilies/16x16_smiley-surprised.png" alt="Smiley Surprised" title="Smiley Surprised" />wner, cm:modifier, cm:creator</SPAN><BR /><SPAN>The arbitrary users ARE NOT MEMBERS of the site.</SPAN><BR /><SPAN>- for script log file: cm:modifier altered</SPAN><BR /><BR /><SPAN>I think it's possible to reproduce this just by running a simple script that create/open a log file, and write into it each time the scheduler execute the jobs.</SPAN><BR /><SPAN>The cm:modifier will be altered to any authenticated user. (environment 5.x community, with some users working on the platform)</SPAN><BR /><BR /><SPAN>structure of my script:</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />logger.system.out(" -&gt; running script, " + new Date().toString());<BR /><BR />try{<BR /><BR /><BR />&nbsp;&nbsp;&nbsp;if ((debug) || (log))<BR />&nbsp;&nbsp;&nbsp;{<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// get or create log file<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;var configFolder = companyhome.childByNamePath(configRootPath);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;var logFile = configFolder.childByNamePath(logFileName);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// if no log file, create a new one <BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if ( logFile == null)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;logFile = configFolder.createFile(logFileName);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// else rotate log file if necessary<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;else if (parseInt(<A href="http://logFile.size/1024" rel="nofollow noopener noreferrer">logFile.size/1024</A>) &gt; logMaxSize){<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;var logFileBackup = configFolder.childByNamePath(logFileNameBackup);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// remove previous log backup<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (logFileBackup != null){<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;configFolder.removeNode(logFileBackup);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// rename existing log<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;logFile.name = logFileNameBackup;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;logFile.save();<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// create new log file<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;logFile = configFolder.createFile(logFileName);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if ( logFile == null) throw "Unable to open/create log file";<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;logFile.content += "\n\n________________________________________________________________\n"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;logFile.content += new Date().toString() + "Run execution \n"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;// manage locks (one process at a time).<BR />&nbsp;&nbsp;&nbsp;var configFolder = companyhome.childByNamePath(configRootPath);<BR />&nbsp;&nbsp;&nbsp;var lockFile = companyhome.childByNamePath(configRootPath + "/" + lockFileName);<BR />&nbsp;&nbsp;&nbsp;if (!lockFile){&nbsp; // lock file does not exists<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// create lock file if not exists<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (!lockFile) lockFile = configFolder.createFile(lockFileName);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (!lockFile) throw "Unable to create lock file";<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// get document array to process<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;var childsFiles = new Array();<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (document.type == "{<A href="http://www.alfresco.org/model/content/1.0}folder" rel="nofollow noopener noreferrer">http://www.alfresco.org/model/content/1.0}folder</A>"){<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (log) logFile.content += "\nCurrent node is a folder, processing childs\n";<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;childsFiles = document.childFileFolders(true, false);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;else if (document.type == "{<A href="http://www.alfresco.org/model/content/1.0}content" rel="nofollow noopener noreferrer">http://www.alfresco.org/model/content/1.0}content</A>"){<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (log) logFile.content += "\nCurrent node is a document, processing current node only\n";<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;childsFiles[0] = document;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;else {<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;throw "Unknow document type";<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// process documents<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;for (ii_main in childsFiles){<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (log) logFile.content += " -&gt; Processing file: " + childsFiles[ii_main].properties.name + "\n";&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (debug) logger.system.out(" -&gt; Processing file: " + childsFiles[ii_main].properties.name);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// put all business logic here ()<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// release lock (hide)<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;var lockFile = companyhome.childByNamePath(configRootPath + "/" + lockFileName);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (lockFile){<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;configFolder.removeNode(lockFile);<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;}<BR />&nbsp;&nbsp;&nbsp;else{<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;// Process already running<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (log) logFile.content += "Process already running\n";<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if (debug) logger.system.out("Process already running");<BR />&nbsp;&nbsp;&nbsp;}<BR />}<BR />catch (err){<BR />&nbsp;&nbsp;&nbsp;logger.system.out("! Aborting, error message: " + err);<BR />&nbsp;&nbsp;&nbsp;if (log) logFile.content += "\n ! Aborting, error message: " + err + "\n";<BR />&nbsp;&nbsp;&nbsp;// release lock <BR />&nbsp;&nbsp;&nbsp;var configFolder = companyhome.childByNamePath(configRootPath);<BR />&nbsp;&nbsp;&nbsp;var lockFile = companyhome.childByNamePath(configRootPath + "/" + lockFileName);<BR />&nbsp;&nbsp;&nbsp;if (lockFile){<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;configFolder.removeNode(lockFile);<BR />&nbsp;&nbsp;&nbsp;}<BR />}<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE></BODY></HTML> Sun, 05 Jun 2016 20:13:08 GMT https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299358#M252488 vincent-kali 2016-06-05T20:13:08Z Re: incredible security hole with scheduler https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299359#M252489 <HTML><HEAD></HEAD><BODY><SPAN>I reproduce this behaviour with any 5.x version (tested on 5.0.d, 5.1.e, 5.1.g).</SPAN><BR /><SPAN>To summarize:</SPAN><BR /><SPAN>- Scheduler execute script action as 'admin' user</SPAN><BR /><SPAN>- Script is just openning a log file and writing current user name into it</SPAN><BR /><SPAN>- Users are accessing alfresco using CIFS protocol (Kerberso authentication)</SPAN><BR /><SPAN>- User context of the script becomes any authenticated user, log files properties cm:modifier is altered with any arbitrary user (breaking security model, this user has no access to current site…).</SPAN><BR /><BR /><SPAN>This is a major security breach.</SPAN><BR /><SPAN>I'll open a case in jira.</SPAN><BR /><BR /><SPAN>Does anybody already faced this ? Any suggestion ? </SPAN><BR /><BR /><BR /><BR /><BR /></BODY></HTML> Thu, 09 Jun 2016 09:04:20 GMT https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299359#M252489 vincent-kali 2016-06-09T09:04:20Z Re: incredible security hole with scheduler https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299360#M252490 <HTML><HEAD></HEAD><BODY><A href="https://issues.alfresco.com/jira/browse/ALF-21658" rel="nofollow noopener noreferrer">https://issues.alfresco.com/jira/browse/ALF-21658</A><BR /></BODY></HTML> Thu, 09 Jun 2016 12:38:35 GMT https://connect.hyland.com/t5/alfresco-archive/incredible-security-hole-with-scheduler/m-p/299360#M252490 vincent-kali 2016-06-09T12:38:35Z