Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-5193

Script expression security

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: subscription needed
    • Component/s: None
    • Labels:
      None

      Description

      Script expressions are a code that runs inside midPoint servers. As such, script expressions are incredibly powerful. But with great powers comes great responsibility. Script expressions can do a lot of useful things, but they can also do a lot of harm. There are just a few simple internal safeguards when it comes to expression evaluation. E.g. midPoint script libraries will properly enforce authorization when executing the functions. However, script languages are powerful and a clever expression can find a way around this safeguards. MidPoint is not placing expressions in a sandbox, therefore expressions are free to do almost anything.

      The sandbox is not enforced yet from complexity and performance reasons. However we want to apply sandboxing or an equivalent strategy to limit the capabilities of script expressions. Yet, this is not easy. Sandbox privileges need to be chosen carefully and maintained. And then, some expressions may need to do stronger things than others. E.g. reporting expression should be tightly restricted, while scripting hooks should remain very powerful. This is introducing additional complexity.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                semancik Radovan Semancik
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: