Support Article
Running console command in non auto-generated JSP
SA-3152
Summary
PRPC's non auto-generated JSP has no restriction on which classes are executable and accessible. This means in the JSP we can put a Java code Runtime.getRuntime().exec("cat /etc/passwd"); which will, for example, list out the operating system users' password in a Linux machine. This poses a major security risk which needs to be addressed.
Resolution
This issue is resolved through the following local change: by implementing a Java security manager policy file. The format of this file is specific to the web application server. PRPC bundles the sample policy file in its war file under the directory prweb.war/WEB-INF/policy-examples/*.policy.
An example of implementation for Tomcat 7 is as follows:
1) Add the following lines to the setenv.sh (the first 2 lines to enable Java security manager, the next 2 lines are system properties used by the policy file)
JAVA_OPTS="$JAVA_OPTS -Djava.security.manager"
JAVA_OPTS="$JAVA_OPTS -Djava.security.policy=/opt/srv/apache-tomcat-7.0.52/conf/tomcat7-prpc.policy"
JAVA_OPTS="$JAVA_OPTS -Dpega.context_root=prweb"
JAVA_OPTS="$JAVA_OPTS -Dpega.tmpdir=/pr_temp"
2) Put tomcat7-prpc.policy to the correct directory (an example file is attached)
This file is an adjustment of the tomct6.policy sample file bundled with PRPC. The list of classes to allow needs to be tweaked depending on each web application server and custom application being developed. A web server administrator would be the best role to tweak this file.
Published January 31, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.