[ https://issues.apache.org/jira/browse/SOLR-13993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988639#comment-16988639 ]
ASF subversion and git services commented on SOLR-13993: -------------------------------------------------------- Commit e77027dd8c4b29b21d5343f31c860571864b48e5 in lucene-solr's branch refs/heads/gradle-master from Robert Muir [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=e77027d ] SOLR-13993: sandbox velocity template render (if security manager is enabled) The solr permissions are weak sauce due to the huge number of features, third-party dependencies, etc. Hence they have access to do many things. For "scripting" such as velocity we have to look at a more aggressive stance: Step 1: Can we wrap a sandbox around the whole goddamn thing and call it a day? Step 2: Let's separate the "engine" from "untrusted code" and only be an asshole to the latter. Step 3: Java's security is shit, Lets contain that classloader and whitelist access. > sandbox velocity template render > -------------------------------- > > Key: SOLR-13993 > URL: https://issues.apache.org/jira/browse/SOLR-13993 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Reporter: Robert Muir > Priority: Major > Fix For: 8.4 > > Attachments: SOLR-13993.patch, SOLR-13993.patch, SOLR-13993.patch, > SOLR-13993.patch > > > This thing seems dangerous :) > Making the whole solr secure is a whole nother thing: (see e.g. SOLR-13991 > and we haven't even gotten started). Its pretty difficult to convert whole > large app to work securely. It is going to take time. > In the meantime, if we have things that might do something dangerous, and > security manager is enabled, we can put them into a special little sandbox > and throw away the key: for example we can intentionally discard permissions > we don't need so they can't launch stuff, if we really don't trust them, we > can start filtering what classes classloader will load. > This isn't that crazy at all to do, e.g. your web browser does similar tricks > to try to sandbox specific parts that might do something unexpected and cause > security issue. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org