[jbosstools-issues] [JBoss JIRA] (JBIDE-14843) arquillian validator security concerns
Snjezana Peco (JIRA)
jira-events at lists.jboss.org
Wed Jun 12 17:33:54 EDT 2013
[ https://issues.jboss.org/browse/JBIDE-14843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12781271#comment-12781271 ]
Snjezana Peco commented on JBIDE-14843:
---------------------------------------
I have created a security manager based on the AntSecurityManager class.
The manager disables System.exit, deleting a file, executing a command and setting a system property.
I have added validation tests.
Max, could you please review?
> arquillian validator security concerns
> --------------------------------------
>
> Key: JBIDE-14843
> URL: https://issues.jboss.org/browse/JBIDE-14843
> Project: Tools (JBoss Tools)
> Issue Type: Bug
> Components: testing-tools
> Reporter: Max Rydahl Andersen
> Assignee: Snjezana Peco
> Priority: Blocker
> Fix For: 4.1.0.Beta2
>
>
> the arquillian validator seem to be running automatically and without a controlling security manager.
> With that behavior we are vunerable to file deletions, system exits and malicious code.
> Just try adding this to a @Deployment method:
> System.exit(0);
> or even worse file deletions.
> This is not okey - we need next release to not allow this to happen.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbosstools-issues
mailing list