mirror of
https://github.com/octoleo/plantuml.git
synced 2024-12-22 10:59:01 +00:00
feat: remove legacy ALLOW_INCLUDE use PLANTUML_SECURITY_PROFILE instead
https://github.com/plantuml/plantuml-server/issues/232
This commit is contained in:
parent
b32500bb61
commit
fbe7fa3b25
@ -1,4 +1,4 @@
|
|||||||
# Warning, "version" should be the same in gradle.properties and Version.java
|
# Warning, "version" should be the same in gradle.properties and Version.java
|
||||||
# Any idea anyone how to magically synchronize those :-) ?
|
# Any idea anyone how to magically synchronize those :-) ?
|
||||||
version = 1.2023.9beta4
|
version = 1.2023.9beta5
|
||||||
org.gradle.workers.max = 3
|
org.gradle.workers.max = 3
|
@ -74,11 +74,11 @@ public class OptionFlags {
|
|||||||
// static public boolean GRAPHVIZCACHE = false;
|
// static public boolean GRAPHVIZCACHE = false;
|
||||||
// static public final boolean TRACE_DOT = false;
|
// static public final boolean TRACE_DOT = false;
|
||||||
|
|
||||||
static public boolean ALLOW_INCLUDE = true;
|
// static public boolean ALLOW_INCLUDE = true;
|
||||||
|
//
|
||||||
static public void setAllowIncludeFalse() {
|
// static public void setAllowIncludeFalse() {
|
||||||
ALLOW_INCLUDE = false;
|
// ALLOW_INCLUDE = false;
|
||||||
}
|
// }
|
||||||
|
|
||||||
static public void setMaxPixel(int max) {
|
static public void setMaxPixel(int max) {
|
||||||
}
|
}
|
||||||
|
@ -40,7 +40,6 @@ import java.io.IOException;
|
|||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import net.sourceforge.plantuml.OptionFlags;
|
|
||||||
import net.sourceforge.plantuml.file.AFile;
|
import net.sourceforge.plantuml.file.AFile;
|
||||||
import net.sourceforge.plantuml.file.AFileRegular;
|
import net.sourceforge.plantuml.file.AFileRegular;
|
||||||
import net.sourceforge.plantuml.file.AFileZipEntry;
|
import net.sourceforge.plantuml.file.AFileZipEntry;
|
||||||
@ -63,9 +62,9 @@ public class ImportedFiles {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public ImportedFiles withCurrentDir(AParentFolder newCurrentDir) {
|
public ImportedFiles withCurrentDir(AParentFolder newCurrentDir) {
|
||||||
if (newCurrentDir == null) {
|
if (newCurrentDir == null)
|
||||||
return this;
|
return this;
|
||||||
}
|
|
||||||
return new ImportedFiles(imported, newCurrentDir);
|
return new ImportedFiles(imported, newCurrentDir);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -82,27 +81,27 @@ public class ImportedFiles {
|
|||||||
// Log.info("ImportedFiles::getAFile nameOrPath = " + nameOrPath);
|
// Log.info("ImportedFiles::getAFile nameOrPath = " + nameOrPath);
|
||||||
// Log.info("ImportedFiles::getAFile currentDir = " + currentDir);
|
// Log.info("ImportedFiles::getAFile currentDir = " + currentDir);
|
||||||
final AParentFolder dir = currentDir;
|
final AParentFolder dir = currentDir;
|
||||||
if (dir == null || isAbsolute(nameOrPath)) {
|
if (dir == null || isAbsolute(nameOrPath))
|
||||||
return new AFileRegular(new SFile(nameOrPath).getCanonicalFile());
|
return new AFileRegular(new SFile(nameOrPath).getCanonicalFile());
|
||||||
}
|
|
||||||
// final File filecurrent = SecurityUtils.File(dir.getAbsoluteFile(),
|
// final File filecurrent = SecurityUtils.File(dir.getAbsoluteFile(),
|
||||||
// nameOrPath);
|
// nameOrPath);
|
||||||
final AFile filecurrent = dir.getAFile(nameOrPath);
|
final AFile filecurrent = dir.getAFile(nameOrPath);
|
||||||
Log.info("ImportedFiles::getAFile filecurrent = " + filecurrent);
|
Log.info("ImportedFiles::getAFile filecurrent = " + filecurrent);
|
||||||
if (filecurrent != null && filecurrent.isOk()) {
|
if (filecurrent != null && filecurrent.isOk())
|
||||||
return filecurrent;
|
return filecurrent;
|
||||||
}
|
|
||||||
for (SFile d : getPath()) {
|
for (SFile d : getPath()) {
|
||||||
if (d.isDirectory()) {
|
if (d.isDirectory()) {
|
||||||
final SFile file = d.file(nameOrPath);
|
final SFile file = d.file(nameOrPath);
|
||||||
if (file.exists()) {
|
if (file.exists())
|
||||||
return new AFileRegular(file.getCanonicalFile());
|
return new AFileRegular(file.getCanonicalFile());
|
||||||
}
|
|
||||||
} else if (d.isFile()) {
|
} else if (d.isFile()) {
|
||||||
final AFileZipEntry zipEntry = new AFileZipEntry(d, nameOrPath);
|
final AFileZipEntry zipEntry = new AFileZipEntry(d, nameOrPath);
|
||||||
if (zipEntry.isOk()) {
|
if (zipEntry.isOk())
|
||||||
return zipEntry;
|
return zipEntry;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return filecurrent;
|
return filecurrent;
|
||||||
@ -150,27 +149,25 @@ public class ImportedFiles {
|
|||||||
file = getAFile(filename.substring(0, idx));
|
file = getAFile(filename.substring(0, idx));
|
||||||
entry = filename.substring(idx + 1);
|
entry = filename.substring(idx + 1);
|
||||||
}
|
}
|
||||||
if (isAllowed(file) == false)
|
// if (isAllowed(file) == false)
|
||||||
|
if (file == null || file.getUnderlyingFile().isFileOk() == false)
|
||||||
return FileWithSuffix.none();
|
return FileWithSuffix.none();
|
||||||
|
|
||||||
return new FileWithSuffix(filename, suffix, file, entry);
|
return new FileWithSuffix(filename, suffix, file, entry);
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean isAllowed(AFile file) throws IOException {
|
// private boolean isAllowed(AFile file) throws IOException {
|
||||||
// ::comment when __CORE__
|
// // ::comment when __CORE__
|
||||||
if (OptionFlags.ALLOW_INCLUDE)
|
// if (file != null) {
|
||||||
return true;
|
// final SFile folder = file.getSystemFolder();
|
||||||
|
// // System.err.println("canonicalPath=" + path + " " + folder + " " +
|
||||||
if (file != null) {
|
// // INCLUDE_PATH);
|
||||||
final SFile folder = file.getSystemFolder();
|
// if (includePath().contains(folder) && folder.isFileOk())
|
||||||
// System.err.println("canonicalPath=" + path + " " + folder + " " +
|
// return true;
|
||||||
// INCLUDE_PATH);
|
//
|
||||||
if (includePath().contains(folder))
|
// }
|
||||||
return true;
|
// // ::done
|
||||||
|
// return false;
|
||||||
}
|
// }
|
||||||
// ::done
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -117,9 +117,9 @@ public class SFile implements Comparable<SFile> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static SFile fromFile(File internal) {
|
public static SFile fromFile(File internal) {
|
||||||
if (internal == null) {
|
if (internal == null)
|
||||||
return null;
|
return null;
|
||||||
}
|
|
||||||
return new SFile(internal);
|
return new SFile(internal);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -257,7 +257,7 @@ public class SFile implements Comparable<SFile> {
|
|||||||
/**
|
/**
|
||||||
* Check SecurityProfile to see if this file can be open.
|
* Check SecurityProfile to see if this file can be open.
|
||||||
*/
|
*/
|
||||||
private boolean isFileOk() {
|
public boolean isFileOk() {
|
||||||
// ::comment when __CORE__
|
// ::comment when __CORE__
|
||||||
if (SecurityUtils.getSecurityProfile() == SecurityProfile.SANDBOX)
|
if (SecurityUtils.getSecurityProfile() == SecurityProfile.SANDBOX)
|
||||||
// In SANDBOX, we cannot read any files
|
// In SANDBOX, we cannot read any files
|
||||||
|
@ -216,7 +216,7 @@ public class SURL {
|
|||||||
/**
|
/**
|
||||||
* Check SecurityProfile to see if this URL can be opened.
|
* Check SecurityProfile to see if this URL can be opened.
|
||||||
*/
|
*/
|
||||||
private boolean isUrlOk() {
|
public boolean isUrlOk() {
|
||||||
// ::comment when __CORE__
|
// ::comment when __CORE__
|
||||||
if (SecurityUtils.getSecurityProfile() == SecurityProfile.SANDBOX)
|
if (SecurityUtils.getSecurityProfile() == SecurityProfile.SANDBOX)
|
||||||
// In SANDBOX, we cannot read any URL
|
// In SANDBOX, we cannot read any URL
|
||||||
|
@ -55,7 +55,7 @@ package net.sourceforge.plantuml.security;
|
|||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public enum SecurityProfile {
|
public enum SecurityProfile {
|
||||||
// ::remove folder when __HAXE__
|
// ::remove folder when __HAXE__
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Running in SANDBOX mode is completely secure. No local file can be read
|
* Running in SANDBOX mode is completely secure. No local file can be read
|
||||||
@ -161,4 +161,17 @@ public enum SecurityProfile {
|
|||||||
throw new AssertionError();
|
throw new AssertionError();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public boolean canWeReadThisEnvironmentVariable(String name) {
|
||||||
|
if (name == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (this == UNSECURE)
|
||||||
|
return true;
|
||||||
|
|
||||||
|
if (name.toLowerCase().startsWith("plantuml"))
|
||||||
|
return true;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -222,16 +222,16 @@ public class SecurityUtils {
|
|||||||
return System.getenv(alternateName);
|
return System.getenv(alternateName);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
// /**
|
||||||
* Checks the environment variable and returns true if the variable is used in
|
// * Checks the environment variable and returns true if the variable is used in
|
||||||
* security context. In this case, the value should not be displayed in scripts.
|
// * security context. In this case, the value should not be displayed in scripts.
|
||||||
*
|
// *
|
||||||
* @param name Environment variable to check
|
// * @param name Environment variable to check
|
||||||
* @return true, if this is a secret variable
|
// * @return true, if this is a secret variable
|
||||||
*/
|
// */
|
||||||
public static boolean isSecurityEnv(String name) {
|
// public static boolean isSecurityEnv(String name) {
|
||||||
return name != null && name.toLowerCase().startsWith("plantuml.security.");
|
// return name != null && name.toLowerCase().startsWith("plantuml.security.");
|
||||||
}
|
// }
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Configuration for Non-SSL authentication methods.
|
* Configuration for Non-SSL authentication methods.
|
||||||
|
@ -38,7 +38,6 @@ import java.util.List;
|
|||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
import net.sourceforge.plantuml.OptionFlags;
|
|
||||||
import net.sourceforge.plantuml.security.SFile;
|
import net.sourceforge.plantuml.security.SFile;
|
||||||
import net.sourceforge.plantuml.tim.EaterException;
|
import net.sourceforge.plantuml.tim.EaterException;
|
||||||
import net.sourceforge.plantuml.tim.EaterExceptionLocated;
|
import net.sourceforge.plantuml.tim.EaterExceptionLocated;
|
||||||
@ -61,18 +60,13 @@ public class FileExists extends SimpleReturnFunction {
|
|||||||
public TValue executeReturnFunction(TContext context, TMemory memory, LineLocation location, List<TValue> values,
|
public TValue executeReturnFunction(TContext context, TMemory memory, LineLocation location, List<TValue> values,
|
||||||
Map<String, TValue> named) throws EaterException, EaterExceptionLocated {
|
Map<String, TValue> named) throws EaterException, EaterExceptionLocated {
|
||||||
// ::comment when __CORE__
|
// ::comment when __CORE__
|
||||||
if (OptionFlags.ALLOW_INCLUDE == false)
|
|
||||||
// ::done
|
|
||||||
return TValue.fromBoolean(false);
|
|
||||||
// ::comment when __CORE__
|
|
||||||
|
|
||||||
final String path = values.get(0).toString();
|
final String path = values.get(0).toString();
|
||||||
return TValue.fromBoolean(fileExists(path));
|
return TValue.fromBoolean(new SFile(path).exists());
|
||||||
|
// ::done
|
||||||
|
|
||||||
|
// ::uncomment when __CORE__
|
||||||
|
// return TValue.fromBoolean(false);
|
||||||
// ::done
|
// ::done
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean fileExists(String path) {
|
|
||||||
final SFile f = new SFile(path);
|
|
||||||
return f.exists();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
@ -38,7 +38,6 @@ import java.util.List;
|
|||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
import net.sourceforge.plantuml.OptionFlags;
|
|
||||||
import net.sourceforge.plantuml.security.SecurityUtils;
|
import net.sourceforge.plantuml.security.SecurityUtils;
|
||||||
import net.sourceforge.plantuml.tim.EaterException;
|
import net.sourceforge.plantuml.tim.EaterException;
|
||||||
import net.sourceforge.plantuml.tim.EaterExceptionLocated;
|
import net.sourceforge.plantuml.tim.EaterExceptionLocated;
|
||||||
@ -61,18 +60,16 @@ public class Getenv extends SimpleReturnFunction {
|
|||||||
public TValue executeReturnFunction(TContext context, TMemory memory, LineLocation location, List<TValue> values,
|
public TValue executeReturnFunction(TContext context, TMemory memory, LineLocation location, List<TValue> values,
|
||||||
Map<String, TValue> named) throws EaterException, EaterExceptionLocated {
|
Map<String, TValue> named) throws EaterException, EaterExceptionLocated {
|
||||||
// ::comment when __CORE__
|
// ::comment when __CORE__
|
||||||
if (OptionFlags.ALLOW_INCLUDE == false)
|
final String value = getenv(values.get(0).toString());
|
||||||
// ::done
|
|
||||||
return TValue.fromString("");
|
|
||||||
// ::comment when __CORE__
|
|
||||||
|
|
||||||
final String name = values.get(0).toString();
|
|
||||||
final String value = getenv(name);
|
|
||||||
if (value == null)
|
if (value == null)
|
||||||
return TValue.fromString("");
|
return TValue.fromString("");
|
||||||
|
|
||||||
return TValue.fromString(value);
|
return TValue.fromString(value);
|
||||||
// ::done
|
// ::done
|
||||||
|
|
||||||
|
// ::uncomment when __CORE__
|
||||||
|
// return TValue.fromString("");
|
||||||
|
// ::done
|
||||||
}
|
}
|
||||||
|
|
||||||
// ::comment when __CORE__
|
// ::comment when __CORE__
|
||||||
@ -81,8 +78,9 @@ public class Getenv extends SimpleReturnFunction {
|
|||||||
// A plantuml server should have an own SecurityManager to
|
// A plantuml server should have an own SecurityManager to
|
||||||
// avoid access to properties and environment variables, but we should
|
// avoid access to properties and environment variables, but we should
|
||||||
// also stop here in other deployments.
|
// also stop here in other deployments.
|
||||||
if (SecurityUtils.isSecurityEnv(name))
|
if (SecurityUtils.getSecurityProfile().canWeReadThisEnvironmentVariable(name) == false)
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
final String env = System.getProperty(name);
|
final String env = System.getProperty(name);
|
||||||
if (env != null)
|
if (env != null)
|
||||||
return env;
|
return env;
|
||||||
|
@ -165,9 +165,8 @@ public class LoadJson extends SimpleReturnFunction {
|
|||||||
byte[] byteData = null;
|
byte[] byteData = null;
|
||||||
if (path.startsWith("http://") || path.startsWith("https://")) {
|
if (path.startsWith("http://") || path.startsWith("https://")) {
|
||||||
final SURL url = SURL.create(path);
|
final SURL url = SURL.create(path);
|
||||||
if (url == null)
|
if (url != null)
|
||||||
throw EaterException.located("load JSON: Invalid URL " + path);
|
byteData = url.getBytes();
|
||||||
byteData = url.getBytes();
|
|
||||||
// ::comment when __CORE__
|
// ::comment when __CORE__
|
||||||
} else {
|
} else {
|
||||||
try {
|
try {
|
||||||
@ -179,7 +178,6 @@ public class LoadJson extends SimpleReturnFunction {
|
|||||||
}
|
}
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
Logme.error(e);
|
Logme.error(e);
|
||||||
throw EaterException.located("load JSON: Cannot read file " + path + ". " + e.getMessage());
|
|
||||||
}
|
}
|
||||||
// ::done
|
// ::done
|
||||||
}
|
}
|
||||||
|
@ -108,8 +108,8 @@ public class LicenseInfo {
|
|||||||
|
|
||||||
public static synchronized LicenseInfo retrieveNamedSlow() {
|
public static synchronized LicenseInfo retrieveNamedSlow() {
|
||||||
cache = LicenseInfo.NONE;
|
cache = LicenseInfo.NONE;
|
||||||
if (OptionFlags.ALLOW_INCLUDE == false)
|
// if (OptionFlags.ALLOW_INCLUDE == false)
|
||||||
return cache;
|
// return cache;
|
||||||
|
|
||||||
final String key = prefs.get("license", "");
|
final String key = prefs.get("license", "");
|
||||||
if (key.length() > 0) {
|
if (key.length() > 0) {
|
||||||
|
@ -175,9 +175,8 @@ public class PSystemVersion extends PlainStringsDiagram {
|
|||||||
// :: done
|
// :: done
|
||||||
// :: comment when __CORE__
|
// :: comment when __CORE__
|
||||||
GraphvizCrash.checkOldVersionWarning(strings);
|
GraphvizCrash.checkOldVersionWarning(strings);
|
||||||
if (OptionFlags.ALLOW_INCLUDE) {
|
if (SecurityUtils.getSecurityProfile() == SecurityProfile.UNSECURE) {
|
||||||
if (SecurityUtils.getSecurityProfile() == SecurityProfile.UNSECURE)
|
strings.add("Loaded from " + Version.getJarPath());
|
||||||
strings.add("Loaded from " + Version.getJarPath());
|
|
||||||
|
|
||||||
if (OptionFlags.getInstance().isWord()) {
|
if (OptionFlags.getInstance().isWord()) {
|
||||||
strings.add("Word Mode");
|
strings.add("Word Mode");
|
||||||
|
@ -46,7 +46,7 @@ public class Version {
|
|||||||
|
|
||||||
// Warning, "version" should be the same in gradle.properties and Version.java
|
// Warning, "version" should be the same in gradle.properties and Version.java
|
||||||
// Any idea anyone how to magically synchronize those :-) ?
|
// Any idea anyone how to magically synchronize those :-) ?
|
||||||
private static final String version = "1.2023.9beta4";
|
private static final String version = "1.2023.9beta5";
|
||||||
|
|
||||||
public static String versionString() {
|
public static String versionString() {
|
||||||
return version;
|
return version;
|
||||||
|
Loading…
Reference in New Issue
Block a user