[jira] [Commented] (SOLR-13993) sandbox velocity template render

Wed, 04 Dec 2019 22:38:23 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988516#comment-16988516
 ] 

ASF subversion and git services commented on SOLR-13993:
--------------------------------------------------------

Commit e6728cdf64472e91186b3cc080d2d1c5de774196 in lucene-solr's branch 
refs/heads/branch_8x from Robert Muir
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=e6728cd ]

SOLR-13993: sandbox velocity template render (if security manager is enabled)

The solr permissions are weak sauce due to the huge number of features, 
third-party dependencies, etc.

Hence they have access to do many things. For "scripting" such as velocity we 
have to look at a more aggressive stance:

Step 1: Can we wrap a sandbox around the whole goddamn thing and call it a day?
Step 2: Let's separate the "engine" from "untrusted code" and only be an 
asshole to the latter.
Step 3: Java's security is shit, Lets contain that classloader and whitelist 
access.


> sandbox velocity template render
> --------------------------------
>
>                 Key: SOLR-13993
>                 URL: https://issues.apache.org/jira/browse/SOLR-13993
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>             Fix For: 8.4
>
>         Attachments: SOLR-13993.patch, SOLR-13993.patch, SOLR-13993.patch, 
> SOLR-13993.patch
>
>
> This thing seems dangerous :)
> Making the whole solr secure is a whole nother thing: (see e.g. SOLR-13991 
> and we haven't even gotten started). Its pretty difficult to convert whole 
> large app to work securely. It is going to take time.
> In the meantime, if we have things that might do something dangerous, and 
> security manager is enabled, we can put them into a special little sandbox 
> and throw away the key: for example we can intentionally discard permissions 
> we don't need so they can't launch stuff, if we really don't trust them, we 
> can start filtering what classes classloader will load.
> This isn't that crazy at all to do, e.g. your web browser does similar tricks 
> to try to sandbox specific parts that might do something unexpected and cause 
> security issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to