logback / LOGBACK-1606 [Open] Bring Back Groovy Config and use SecureASTCustomizer to secure it
============================== Here's what changed in this issue in the last few minutes. This issue has been created This issue is now assigned to you. View or comment on issue using this link https://jira.qos.ch/browse/LOGBACK-1606 ============================== Issue created ------------------------------ Tucker J Pelletier created this issue on 04/Jan/22 5:31 AM Summary: Bring Back Groovy Config and use SecureASTCustomizer to secure it Issue Type: Improvement Affects Versions: 1.2.9 Assignee: Logback dev list Created: 04/Jan/22 5:31 AM Priority: Blocker Reporter: Tucker J Pelletier Description: There are a lot of apps that use the Groovy-based config(including all Grails apps). To convert these to XML will require a lot of changes and there would be things that are not supported. For example in all the apps I'm currently working in we have a standard setup for the dev environment, but in the production environment, we use an appender for Log Entries. I think it should be the implementer's choice to use Groovy for config or not, and just make the implementer aware of the possible issue. That being said there are steps you can take to lockdown a DSL using the SecureASTCustomizer. The SecureASTCustomizer lets to limit what a user can import, what tokens they can use and you can even create a SecureASTCustomizer.ExpressionChecker would allow you to add an allow list check for method names. I created some sample code at these links: [https://github.com/virtualdogbert/logback-test] [https://github.com/virtualdogbert/logback-test/blob/master/grails-app/init/logback/test/BootStrap.groovy#L14] [https://github.com/virtualdogbert/logback-test/blob/master/src/main/groovy/com/logback/test/GafferConfigurator.groovy#L62-L141] [https://github.com/virtualdogbert/logback-test/blob/master/src/main/groovy/com/logback/test/ScriptExpressionChecker.groovy] I would say this is a good start but you would have to actually integrate it with the deleted code and do a fair amount of testing. There may be other imports that other people would want added to the allow list, based on whatever framework they are using, which is something that could be updated/expanded over time, however being security-minded you will probably want to keep the list somewhat short, and concise. Here are some additional links about using the SecureASTCustomizer: [https://docs.groovy-lang.org/latest/html/documentation/#compilation-customizers] [https://blog.mrhaki.com/2014/04/groovy-goodness-restricting-script.html] Let me know your thoughts or if you have any questions. ============================== This message was sent by Atlassian Jira (v8.8.0#808000-sha1:e2c7e59) _______________________________________________ logback-dev mailing list [email protected] http://mailman.qos.ch/mailman/listinfo/logback-dev
