Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How do I secure ScriptTask's javax.script?

jmseo2
Champ in-the-making
Champ in-the-making

‎08-04-2015 03:42 PM

I am currently working on a project which exposes the BPM workflow definition to our users as a configurable value. The users may define any valid BPM XML, register it against our service, and execute it within our application.

One problem we ran into is the usage of ScriptTask. The scripts are exposing all the classes, file IO, network, etc to our users, which opens up a huge security hole since the workflows are client configurable. We'd like to restrict that somehow.
Example:

<scriptTask scriptFormat="js" id="myscript">
   <script>
      java.lang.System.exit(0);
   </script>
</scriptTask>


I just killed the application JVM…

Has anyone already solved this problem in Activiti before? I know there are some things you can do with SecurityManager, but I am not sure how this can be applied in Activiti.

Many thanks in advance.
Labels:
0 Kudos
6 REPLIES 6

vasile_dirla
Star Contributor
Star Contributor

‎08-04-2015 05:30 PM

Hi,
try google-ing for "sandboxing rhino".
I didn't try it yet, but this should help solving the problem.
0 Kudos

jmseo2
Champ in-the-making
Champ in-the-making

‎08-04-2015 05:46 PM

Hi Vasile. Thanks for the response.
My question was more geared towards Activiti's usage of the ScriptManager instance, which is not exposed from the process engine for me to configure.
Btw, I believe starting jdk8 javax.script does not use rhino. (I need to confirm this bit later since I am not on the PC right now)
0 Kudos

vasile_dirla
Star Contributor
Star Contributor

‎08-04-2015 06:28 PM

just had a look into the source code:
into the ScriptTaskActivityBehavior class:
in the execute method is the point of execution of the scripts:
<code>
Object result = scriptingEngines.evaluate(script, language, execution, storeScriptVariables);
</code>
I think that setting a custom security manager which will filter the packages and after the script execution to set it back to null will solve the problem for any script type executed with the ScriptTask.
<code>
public class PkgsSecurityManager extends SecurityManager {

   @Override
   public void checkPackageAccess(String pkg) {
// if the pkg should be restricted throw the exception like that:
     throw new SecurityException();
   }
}
</code>

( This should be tested it's just my opinion but didn't test it yet.)
0 Kudos

jmseo2
Champ in-the-making
Champ in-the-making

‎08-06-2015 11:24 AM

Several problems with this approach:
- We do not know when the script task is about to be executed. (Is there a programmatic hook provided in Activiti for us to put our custom security manager?)
- Are you suggesting we set a temporary system-wide security manager through System.setSecurityManager()? Wouldn't that apply the custom permissions to other threads in the same JVM? Or possibly even other asnyc tasks occurring within Activiti at the time?

If there are no way to customize the ScriptTaskActivityBehavior.execute(), is it reasonable for this to be a feature request?
0 Kudos

vasile_dirla
Star Contributor
Star Contributor

‎08-06-2015 03:21 PM

I don't know if there is any hook around that execution,
I was thinking you could modify the ScriptTaskActivityBehavior.java ("execute" method)
0 Kudos

vasile_dirla
Star Contributor
Star Contributor

‎08-06-2015 05:59 PM

i think you could use this: http://activiti.org/userguide/index.html#_hooking_into_process_parsing
this way you could inject some custom script around the user's script.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC