Groovy Sandboxing

2021-09-20 Thread Jacques Le Roux 

Hi,

The security reporter 'thiscodecc" created OFBIZ-12305 about "Groovy Program sandbox bypass". He suggested to use one of "the very mature solutions on 
the groovy sandbox on the market. You can refer to it.".


I had a look. The best article was from Cédric Champeau: https://melix.github.io/blog/2015/03/sandboxing.htmland clearly he does not advocate for 
"mature solutions on the groovy sandbox on the market".


So I rather fixed the issue with a "simple" and pragmatic approach by reusing the work I already did with SecuredUpload::isValidTextFile. I refactored 
it and created the public SecuredUpload::isValidText.


Finally, with OFBIZ-12324 I extracted the webshell tokens in the 
deniedWebShellTokens property in security.properties.

I had a deeper look at Cédric's article and I'm now convinced that, because only ProgramExport in Webtool was concerned we don't need to worry about 
Groovy Sandboxing.


If you don't think so, please explain why

TIA

Jacques

Re: Messaging-System ActiveMQ Performance

2021-09-20 Thread Nicolas Malin 
Hello Werner,

In your case I suggest to don't use the cache clearing during your process.

We already manage a similar case with :
* create a delegator dedicate to the process without cache clearing
* use this delegator during the process instead the default
* call cache clearing at the process end

Normally with this you will save your performance and keep your data fresh.

Nicolas

On 17/09/2021 10:10, Werner Brasch wrote:
>
> Hallo
>
>  
>
> We are Using the OFBiz-CRM with two instances after a loadbalancer.
>
> So we have to make “cacheClearing” and we are Using the descripton of
> “https://cwiki.apache.org/confluence/display/OFBIZ/Distributed+Entity+Cache+Clear+%28DCC%29+Mechanism
> ”
>
> Now we have a Problem with the performance or with the configuration.
>
> When we do multiple operations, delete 10.000 rows in a table, we got
> 10.000 messages and for a long period (> 10 minutes) the messages are
> reading.
>
> Is it a performance problem or a configuration problem. What could be
> a solution?
>
>  
>
> Thank you.
>
> Best regards.
>
>  
>
> Viele Grüße aus Bremen
>
>  
>
> Dipl. Physiker
>
> *Werner Brasch*
>
> Softwareentwickler
>
>  
>
> Beschreibung: Beschreibung:
> cid:6404AF5A-9DB8-4AB8-9632-138706E07F24@hmmh.ag
>
>  
>
> hmmh multimediahaus AG
>
> Leading in Connected Commerce
>
> Am Weser-Terminal 1 · 28217 Bremen
>
> Telefon +49 421 696 50 - 353 · Telefax +49 4 21 / 6 96 50-190
>
> www.hmmh.de · werner.bra...@hmmh.de
> 
>
>  
>
> *Näher dran:*Lernen Sie hmmh besser kennen und folgen Sie uns auf
> www.facebook.com/hmmh.de .
>
>  
>
> HR Bremen B 20536 · St.Nr. 60-102/03285 · EG Ust.-ID: DE 114413710
>
> Vorstand: Stefan Messerknecht (Sprecher), Björn Portillo ·
> Vorsitzender des Aufsichtsrats: Florian Haller
>
>  
>

Re: [DISCUSSION] Do we start the R18 publish process ?

2021-09-20 Thread Jacques Le Roux 

Hi Nicolas,

That's not exactly what I find:

https://issues.apache.org/jira/issues/?jql=project%20%3D%20OFBIZ%20AND%20status%20in%20(Open%2C%20%22In%20Progress%22%2C%20Reopened%2C%20%22Patch%20Available%22)%20AND%20affectedVersion%20%3D%2018.12.01

Jacques

Le 20/09/2021 à 10:14, Nicolas Malin a écrit :

[1]
https://issues.apache.org/jira/browse/OFBIZ-12321?jql=resolution%20%3D%20Unresolved%20AND%20affectedVersion%20%3D%2018.12.01

:D forgot the link

On 20/09/2021 10:13, Nicolas Malin wrote:

The main is on the title :)

At this time some issue are always present [1], so we have to decide
whether to launch and move them to the next.

My feeling is after some time on it, we can go ahead and keep their fix
for the next when it would be possible.

Nicolas

Re: [DISCUSSION] Do we start the R18 publish process ?

2021-09-20 Thread Gil Portenseigne 
+1 

Thanks,

Gil
On Mon, Sep 20, 2021 at 10:13:04AM +0200, Nicolas Malin wrote:
> The main is on the title :)
> 
> At this time some issue are always present [1], so we have to decide
> whether to launch and move them to the next.
> 
> My feeling is after some time on it, we can go ahead and keep their fix
> for the next when it would be possible.
> 
> Nicolas
> 
> -- 
> logoNrd 
>   Nicolas Malin
> The apache way  : *Charity* Apache’s mission
> is providing software for the public good.
> informat...@nereide.fr
> 8 rue des Déportés 37000 TOURS, 02 47 50 30 54
> 
> Apache OFBiz |The Apache Way
> |réseau LE 


signature.asc
Description: PGP signature

Re: [DISCUSSION] Do we start the R18 publish process ?

2021-09-20 Thread Jacopo Cappellato 
+1

Jacopo

On Mon, Sep 20, 2021 at 10:13 AM Nicolas Malin  wrote:
>
> The main is on the title :)
>
> At this time some issue are always present [1], so we have to decide
> whether to launch and move them to the next.
>
> My feeling is after some time on it, we can go ahead and keep their fix
> for the next when it would be possible.
>
> Nicolas
>
> --
> logoNrd 
> Nicolas Malin
> The apache way  : *Charity* Apache’s mission
> is providing software for the public good.
> informat...@nereide.fr
> 8 rue des Déportés 37000 TOURS, 02 47 50 30 54
>
> Apache OFBiz |The Apache Way
> |réseau LE

Re: [DISCUSSION] Do we start the R18 publish process ?

2021-09-20 Thread Nicolas Malin 
[1]
https://issues.apache.org/jira/browse/OFBIZ-12321?jql=resolution%20%3D%20Unresolved%20AND%20affectedVersion%20%3D%2018.12.01

:D forgot the link

On 20/09/2021 10:13, Nicolas Malin wrote:
> The main is on the title :)
>
> At this time some issue are always present [1], so we have to decide
> whether to launch and move them to the next.
>
> My feeling is after some time on it, we can go ahead and keep their fix
> for the next when it would be possible.
>
> Nicolas
>

[DISCUSSION] Do we start the R18 publish process ?

2021-09-20 Thread Nicolas Malin 
The main is on the title :)

At this time some issue are always present [1], so we have to decide
whether to launch and move them to the next.

My feeling is after some time on it, we can go ahead and keep their fix
for the next when it would be possible.

Nicolas

-- 
logoNrd 
Nicolas Malin
The apache way  : *Charity* Apache’s mission
is providing software for the public good.
informat...@nereide.fr
8 rue des Déportés 37000 TOURS, 02 47 50 30 54

Apache OFBiz |The Apache Way
|réseau LE