I want to create a secure ColdFusion environment, for which I am using multiple sandboxes configuration. The following tasks are easily achievable using the friendly administrator interface:
- Restricting CFtags like: cfexecute, cfregistry and cfhttp.
- Disabling Access to Internal ColdFusion Java components.
- Access only to certain server and port ranges by third-party resources.
And the others using configuration of the web server accordingly.
The Problem:
So I was satisfied with the setup only to encounter later that regardless of the restriction applied to the cfexecute tag one can use java.lang.Runtime to execute system files or scripts easily;
String[] cmd = {"cmd.exe", 'net stop "ColdFusion 10 Application Server"'};
Process p = Runtime.getRuntime().exec(cmd);
or using the java.lang.ProcessBuilder:
ProcessBuilder pb = new ProcessBuilder("cmd.exe", 'net stop "ColdFusion 10 Application Server"');
....
Process myProcess = pb.start();
The problem is that I cannot find any solutions which allows me to disable these two classes: java.lang.Runtime & java.lang.ProcessBuilder for the createObject().
For the note: I have tried the file restriction in the sanbox and os permission as well, but unfortunately they seem to work on an I/O file operations only and I cannot mess with security policies of the system libraries as they might be used internally by ColdFusion.
Following the useful suggestions from @Leigh and @Miguel-F, I tried my hands on implementing the
Security ManagerandPolicy. Here's the outcome:1. Specifying an Additional Policy File at runtime instead of making changes to the default
java.policyfile. To enable this, we add the following parameters to JVM arguments using CFAdmin interface or alternatively appending it to thejvm.argsline in thejvm.configfile :There is a nice GUI utility inside
jre\bin\calledpolicytool.exewhich allows you to manage policy entries easily and efficiently.2. We have enforced the Security manager and provided our custom security policy file which contains:
Here we are setting
FilePermissionfor all files toread, write, deleteexcludingexecutefrom the list as we do not want any type of file to be executed using the java runtime.Note: The codebase can be set to an empty string if we want the policy to be applied to all the applications irrespective of the source.
I really wished for a
denyrule in policy file to make things easier similar to thegrantrule we're using, but there isn't unfortunately. If you need to put in place a set of complex security policies, you can use Prograde library, which implements policy file with deny rule (stack ref.). You could surely replace<<ALL FILES>>with individual file and set permissions accordingly or for a better control use a combination of<<ALL FILES>>and individual file permissions.References: Default Policy Implementation and Policy File Syntax, Permissions in JDK and Controlling Applications
This approach solves our core issue: denying execution of files using java runtime by specifying permissions allowed on a file. In other approach, we can implement
Security Managerdirectly in our application to define policy file from there, instead of defining it in our JVM args.To be able to set it, we need these permissions inside our policy file:
Using Security Manager object inside an application has its own advantages as it exposes many useful methods For instance:
CheckExec(String cmd)which checks whether a calling thread is allowed to create a sub-process or not.