Currently there are no restrictions on what Groovy running in a report band can do. For example:
def a = 'ps'.execute()
def b = [[:]]
a.in.eachLine {
b.add([col: it])
}
a.waitFor()
a.closeStreams()
return b
Will list the tasks running on the application server. I’m too chicken to try ‘rm -rf /’. Obviously, even a minimally secured deployment would have the app running as a restricted user, but still, any idea how to sandbox these scripts?
Hi,
I’ve started a discussion on this matter some time ago:
Current state of things is: if you want to be absolutely secure - you should not give permission to edit any Groovy script in the CUBA app to anyone except trusted users and system administrators.
Groovy is just too powerful to allow script it to untrusted users.
Played around with some options for limiting what the scripts can do (SecureASTCustomizer and Groovy Sandbox). But you’re right, any whitelist will have flaws, the best option’s probably just controlling access.