AnsweredAssumed Answered

incredible security hole with scheduler

Question asked by vincent-kali on Jun 3, 2016
Latest reply on Jun 9, 2016 by vincent-kali
When running script actions launched by alfresco scheduler, I got the following behaviour (5.0.d or 5.1.e):
- scheduler run as 'System' or 'admin' (same results), executes js script stored in repo folder 'Scheduled Actions'
- this script create/move/delete documents
- documents created or moved have arbitrary 'owner' or 'modifiedBy' properties
- documents deleted appear in arbitrary user's trash ( -> user gains access to content he had no permission on initially)

Consequences:
- any users may become owner-deletors of any content created/moved/deleted by this script, executed by admin/system.
- Users ask me: why this document is owned by 'john', he has no access to this site…….

It seems that this 'arbitrary user' is the last logged in user…..
This is very easy to reproduce, you just have write a js script that:
- create log file in any site
- update it each times it runs
you'll see that the cm:modifier becomes any arbitrary user……

one question : How is it possible ??? did somebody face the same kind of issue ?

Scheduled-action-service-context.xml:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   
    <!–
    Define the model factory used to generate object models suitable for use with freemarker templates.
    –>
    <bean id="templateActionModelFactory" class="org.alfresco.repo.action.scheduled.FreeMarkerWithLuceneExtensionsModelFactory">
        <property name="serviceRegistry">
            <ref bean="ServiceRegistry"/>
        </property>
    </bean>
   
   <bean id="runScriptActionTestJScript" class="org.alfresco.repo.action.scheduled.SimpleTemplateActionDefinition">
      <property name="actionName">
         <value>script</value>
      </property>
      <property name="parameterTemplates">
         <map>
            <entry>
               <key>
                  <value>script-ref</value>
               </key>
               <value>\$\{selectSingleNode('workspace://SpacesStore', 'fts-alfresco', 'PATH:"/app:company_home/app:dictionary/cm:Scheduled_x0020_Actions/cm:myTestScript.js"' )\}</value>
            </entry>
         </map>
      </property>
      <property name="templateActionModelFactory">
         <ref bean="templateActionModelFactory"/>
      </property>
      <property name="dictionaryService">
         <ref bean="DictionaryService"/>
      </property>
      <property name="actionService">
         <ref bean="ActionService"/>
      </property>
      <property name="templateService">
         <ref bean="TemplateService"/>
      </property>
   </bean>
   
   
   
    <bean id="runtestScheduleEveryOneMinutes" class="org.alfresco.repo.action.scheduled.CronScheduledQueryBasedTemplateActionDefinition">
        <property name="transactionMode">
            <value>UNTIL_FIRST_FAILURE</value>
         <!–value>ISOLATED_TRANSACTIONS</value–>
        </property>
        <property name="compensatingActionMode">
            <value>IGNORE</value>
        </property>
        <property name="searchService">
            <ref bean="SearchService"/>
        </property>
        <property name="templateService">
            <ref bean="TemplateService"/>
        </property>
        <property name="queryLanguage">
            <value>fts-alfresco</value>
        </property>
        <property name="stores">
            <list>
                <value>workspace://SpacesStore</value>
            </list>
        </property>
        <!– Find all nodes that do not have the aspect –>
        <property name="queryTemplate">
            <value>PATH:"/app:company_home/st:sites/cm:mySite/cm:documentLibrary/cm:_Inbox"</value>
        </property>
        <property name="cronExpression">
            <value>0 0/15 * * * ?</value>
        </property>
        <property name="jobName">
            <value>TestJScriptJobName</value>
        </property>
        <property name="jobGroup">
            <value>TestJScriptJobGroup</value>
        </property>
        <property name="triggerName">
            <value>TestJScriptTriggerName</value>
        </property>
        <property name="triggerGroup">
            <value>TestJScriptTriggerGroup</value>
        </property>
        <property name="scheduler">
            <ref bean="schedulerFactory"/>
        </property>
        <property name="actionService">
            <ref bean="ActionService"/>
        </property>
        <property name="templateActionModelFactory">
            <ref bean="templateActionModelFactory"/>
        </property>
        <property name="templateActionDefinition">
            <ref bean="runScriptActionTestJScript"/>
        </property>
        <property name="transactionService">
            <ref bean="TransactionService"/>
        </property>
        <property name="runAsUser">
            <value>System</value>
            <!–value>admin</value–>
        </property>
    </bean>
   
</beans>

Outcomes