...
The script prints dummy and writes some text to somefile.txt behind the scenes.
Compliant Solution (Whitelisting)
The best defense against code injection vulnerabilities is to avoid including executable user input in code. When dynamic code requires user input, that input must be sanitized. For example, a top-level method could ensure that the string firstName contains only valid, whitelisted characters. Refer to IDS00-J. Sanitize untrusted data passed across a trust boundary for more details. If special characters are allowed in the name, they must be escaped and normalized before comparing with their equivalent forms for the purpose of input validation. This compliant solution uses whitelisting to prevent unsanitized input from being interpreted by the scripting engine.
| Code Block | ||
|---|---|---|
| ||
private static void evalScript(String firstName) throws ScriptException { // First sanitize firstName (modify if the name may include special characters) if (!firstName.matches("[\\w]*")) { // String does not match whitelisted characters throw new IllegalArgumentException(); } ScriptEngineManager manager = new ScriptEngineManager(); ScriptEngine engine = manager.getEngineByName("javascript"); engine.eval("print('"+ firstName + "')"); } |
Compliant Solution (Secure Sandbox)
An alternative policy approach is to create a secure sandbox using a security manager. (See See SEC60-JG. Create a secure sandbox using a Security Manager.) The application should not allow the script to execute arbitrary commands including, for example, querying the local file system. The two-argument form of of doPrivileged() can can be used to lower privileges when the application must operate with higher privileges but the scripting engine must not. The The RestrictedAccessControlContext strips strips the permissions granted in the default policy file by reducing the permissions granted to the newly created protection domain. The effective permissions are the intersection of the permissions of the newly created protection domain and the systemwide security policy. Refer to to SEC50-JG. Avoid granting excess privileges for for more details on the two-argument form.
This compliant solution illustrates the use of an an AccessControlContext in in the two-argument form of of doPrivileged().
| Code Block | ||
|---|---|---|
| ||
class ACC {
private static class RestrictedAccessControlContext {
private static final AccessControlContext INSTANCE;
static {
INSTANCE = new AccessControlContext(new ProtectionDomain[] {
new ProtectionDomain(null, null) // no permissions
});
}
}
// First sanitize firstName (modify if the name may include special characters)
if(!firstName.matches("[\\w]*")) { // String does not match whitelisted characters
throw new IllegalArgumentException();
}
// Restrict permission using the two-argument form of doPrivileged()
try {
AccessController.doPrivileged(new PrivilegedExceptionAction() {
public Object run() throws ScriptException {
engine.eval("print('"+ firstName + "')");
return null;
}
}, RestrictedAccessControlContext.INSTANCE); // From nested class
} catch(PrivilegedActionException pae) {
// Handle
}
|
This approach could be combined with whitelisting for extra security.
Applicability
Failure to prevent code injection can result in the execution of arbitrary code.
...