Restricting "com.example.SomeClass"?new(): opinions?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Restricting "com.example.SomeClass"?new(): opinions?

Daniel Dekany
Something I have added to 2.3.17 is this, and I thought some may have
opinions regarding how it's done. After all, when it will be out on
the 16th, it will have to remain like this forever.

So, when you call ?new in a template, then to resolve the class name
FreeMarker now uses the "new_builtin_class_resolver" setting, which is
of type freemarker.core.TemplateClassResolver (also new), which look
like this:

/**
 * Used by built-ins and other template language features that get a class
 * based on a string. This can be handy both for implementing security
 * restrictions and for working around local class-loader issues.
 ...
 */
public interface TemplateClassResolver {

    ...

    /**
     * Gets a {@link Class} based on the class name.
     *
     * @param className the full-qualified class name
     * @param env the environment in which the template executes
     * @param template the template where the operation that require the
     *        class resolution resides in. This is <code>null</code> if the
     *        call doesn't come from a template.
     *
     * @throws TemplateException if the class can't be found or shouldn't be
     *   accessed from a template for security reasons.
     */
    Class resolve(String className, Environment env, Template template) throws TemplateException;
   
}

So you can add you own implementation (e.g. with
Configuration.setNewBuiltinClassResolver) if you want to keep ?new
under control. This is mostly a security thing. BTW, this interface
isn't tied to ?new, although right now that's the only place where
it's used.

Some out-of-the-box implementations of this interface are:

- TemplateClassResolver.UNRESTRICTED_RESOLVER: The default in 2.3.x.

- TemplateClassResolver.ALLOWS_NOTHING_RESOLVER: As the name implies...

- OptInTemplateClassResolver: Here you can specify what classes are
  allowed to be instantiated (by name), hence "opt-it". You can also
  specify which templates are trusted (by name, like "foo/bar.ftl", or
  by directory, like "lib/*"); the restrictions will not apply in
  those.

--
Best regards,
 Daniel Dekany


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
FreeMarker-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freemarker-devel
Reply | Threaded
Open this post in threaded view
|

Re: Restricting "com.example.SomeClass"?new(): opinions?

Denis Bredelet
Hi Daniel

That looks good. Comments below.

On 8 May 2011, at 19:50, Daniel Dekany <[hidden email]> wrote:

> Something I have added to 2.3.17 is this, and I thought some may have
> opinions regarding how it's done. After all, when it will be out on
> the 16th, it will have to remain like this forever.
>
> So, when you call ?new in a template, then to resolve the class name
> FreeMarker now uses the "new_builtin_class_resolver" setting, which is
> of type freemarker.core.TemplateClassResolver (also new), which look
> like this:
>
> /**
> * Used by built-ins and other template language features that get a class
> * based on a string. This can be handy both for implementing security
> * restrictions and for working around local class-loader issues.
> ...
> */
> public interface TemplateClassResolver {
>
>    ...
>
>    /**
>     * Gets a {@link Class} based on the class name.
>     *
>     * @param className the full-qualified class name
>     * @param env the environment in which the template executes
>     * @param template the template where the operation that require the
>     *        class resolution resides in. This is <code>null</code> if the
>     *        call doesn't come from a template.
>     *
>     * @throws TemplateException if the class can't be found or shouldn't be
>     *   accessed from a template for security reasons.

Why do you throw TemplateException if the class can't be found?
According to the doc you can call resolve outside a template.

>     */
>    Class resolve(String className, Environment env, Template template) throws TemplateException;
>
> }
>
> So you can add you own implementation (e.g. with
> Configuration.setNewBuiltinClassResolver) if you want to keep ?new
> under control. This is mostly a security thing. BTW, this interface
> isn't tied to ?new, although right now that's the only place where
> it's used.
>
> Some out-of-the-box implementations of this interface are:
>
> - TemplateClassResolver.UNRESTRICTED_RESOLVER: The default in 2.3.x.
>
> - TemplateClassResolver.ALLOWS_NOTHING_RESOLVER: As the name implies...
>
> - OptInTemplateClassResolver: Here you can specify what classes are
>  allowed to be instantiated (by name), hence "opt-it". You can also
>  specify which templates are trusted (by name, like "foo/bar.ftl", or
>  by directory, like "lib/*"); the restrictions will not apply in
>  those.
>

Can you also specify allowed interfaces or superclass? So that only instances of these are permitted. This is to allow the template to make assumption about objects in the context.

-- Denis.

> --
> Best regards,
> Daniel Dekany
>
>
> -----------------------------------------------------------------------------

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
FreeMarker-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freemarker-devel
Reply | Threaded
Open this post in threaded view
|

Re: Restricting "com.example.SomeClass"?new(): opinions?

Daniel Dekany
Monday, May 9, 2011, 11:28:19 AM, Denis Bredelet wrote:

> Hi Daniel
>
> That looks good. Comments below.
>
> On 8 May 2011, at 19:50, Daniel Dekany <[hidden email]> wrote:
>
>> Something I have added to 2.3.17 is this, and I thought some may have
>> opinions regarding how it's done. After all, when it will be out on
>> the 16th, it will have to remain like this forever.
>>
>> So, when you call ?new in a template, then to resolve the class name
>> FreeMarker now uses the "new_builtin_class_resolver" setting, which is
>> of type freemarker.core.TemplateClassResolver (also new), which look
>> like this:
>>
>> /**
>> * Used by built-ins and other template language features that get a class
>> * based on a string. This can be handy both for implementing security
>> * restrictions and for working around local class-loader issues.
>> ...
>> */
>> public interface TemplateClassResolver {
>>
>>    ...
>>
>>    /**
>>     * Gets a {@link Class} based on the class name.
>>     *
>>     * @param className the full-qualified class name
>>     * @param env the environment in which the template executes
>>     * @param template the template where the operation that require the
>>     *        class resolution resides in. This is <code>null</code> if the
>>     *        call doesn't come from a template.
>>     *
>>     * @throws TemplateException if the class can't be found or shouldn't be
>>     *   accessed from a template for security reasons.
>
> Why do you throw TemplateException if the class can't be found?
> According to the doc you can call resolve outside a template.

This interface meant to be used by language constructs in FreeMarker,
but I still allow calling it without template because if you implement
something in a TemplateMethodModel or like, you aren't calling
*lexically* from a template. That is, template == null basically means
"I'm called from Java or like", and then it's up to the
TemplateClassResolver implementation to react on that situation. Note
that the Environment is required, so this is still can only be called
in the context of a template processing.

>>     */
>>    Class resolve(String className, Environment env, Template template) throws TemplateException;
>>
>> }
>>
>> So you can add you own implementation (e.g. with
>> Configuration.setNewBuiltinClassResolver) if you want to keep ?new
>> under control. This is mostly a security thing. BTW, this interface
>> isn't tied to ?new, although right now that's the only place where
>> it's used.
>>
>> Some out-of-the-box implementations of this interface are:
>>
>> - TemplateClassResolver.UNRESTRICTED_RESOLVER: The default in 2.3.x.
>>
>> - TemplateClassResolver.ALLOWS_NOTHING_RESOLVER: As the name implies...
>>
>> - OptInTemplateClassResolver: Here you can specify what classes are
>>  allowed to be instantiated (by name), hence "opt-it". You can also
>>  specify which templates are trusted (by name, like "foo/bar.ftl", or
>>  by directory, like "lib/*"); the restrictions will not apply in
>>  those.
>>
>
> Can you also specify allowed interfaces or superclass? So that only
> instances of these are permitted. This is to allow the template to
> make assumption about objects in the context.

In OptInTemplateClassResolver you mean. Yes, that's doable (even in
later versions). However to check those things I have to load the
class first, which triggers static initalizers, so it's not as a safe
filter as filtering by name.

> -- Denis.
>
>> --
>> Best regards,
>> Daniel Dekany
>>
>>
>> -----------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> FreeMarker-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/freemarker-devel
>

--
Best regards,
 Daniel Dekany


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
FreeMarker-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freemarker-devel