Project

General

Profile

Actions

Bug #953

closed

lock down security issues

Added by Chad Berkley almost 22 years ago. Updated almost 22 years ago.

Status:
Resolved
Priority:
Immediate
Assignee:
Category:
monarch - general bugs
Target version:
Start date:
01/15/2003
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
953

Description

monarch is able to execute arbitrary code on so the security issues need to be
looked into. at a minimum, we need to make sure that absolute paths are not
allowed in step code so that the filesystem can't be accessed outside the temp
directory. also need to make sure that certain commands are not executed in
different plugins. and example of this is the xterm command in sas that gives a
user a command line terminal into the system. the original perl script that was
monarch looked for any x* commands and threw an exception if they existed in
submitted code.

Actions #1

Updated by Matt Jones almost 22 years ago

Add a filter interface to AEPlugin that can be implented to filter out insecure
pipelines and produce an exception when one is encountered. Use the perl SAS X
command to initially try it out.

Actions #2

Updated by Chad Berkley almost 22 years ago

There is now an interface in the AEPlugin code that allows each plugin to
implement a filter for illegal code. I've implemented the filter for SAS and
Matlab. It is the responsibility of the plugin itself to make sure it is not
executing any dangerous code. see SASPlugin.checkForIllegalCode() to see an
example of the filter

Actions #3

Updated by Redmine Admin over 11 years ago

Original Bugzilla ID was 953

Actions

Also available in: Atom PDF