security audit

Hi,

I'm doing a security audit of our Velocity-based web application, looking for 
potential exploits and fixing them.  We have several hundred user accounts, all 
of whom have the ability to upload templates.  My main concern is preventing a 
template writer from accessing information they shouldn't or corrupting the 
system in some way.  Since context references are based on the Java objects, a 
template writer with knowledge of the object hierarchy and Java could do 
serious damage in a poorly designed system.

I've identified 4 areas of concerns, which I've listed below with my solutions. 
 Are there other areas I've missed?  Appreciate any advice from the Velocity 
community.

(1) Template writer can execute any method from any class (such as Runtime.exit 
or File.delete) by getting the classloader and instantiating a class.
http://nagoya.apache.org/eyebrowse/ReadMsg?listId=102&msgNo=5980 

     Solution-- patch Velocity to prevent execution of methods of from classes 
Class, Classloader, and java.lang.reflect.*
    
http://nagoya.apache.org/eyebrowse/ReadMsg?listName=velocity-dev@xxxxxxxxxxxxxxxxxx&msgNo=7802

(2) Template writer can use #include and #parse to load any file in template 
path

     Solution - patch to Velocity allowing the developer to control what files 
are accessible to input directives
     
http://nagoya.apache.org/eyebrowse/ReadMsg?listName=velocity-dev@xxxxxxxxxxxxxxxxxx&msgNo=7781

(3) If Torque objects are available in the context, the writer can execute 
arbitrary SQL code with
     $TorqueObject.Peer.executeStatement("delete from big_table")

     Solution - override getPeer method in Torque object to return null.  (note 
- must also do solution # 1 or template writer can acquire an instance of the 
superclass)

(4) Generalization of #3.  Other objects in the context might have methods with 
unwanted consequences.  Special caution for objects that are implementations of 
interfaces -- there might be hidden methods in the implementing class that are 
undesirable.

    Solution - Review every object placed in the context.  Remove "request" and 
"response" which are placed in the VelocityServlet context by default.


Any other thoughts?

Best,
WILL



_______________________________________
Forio Business Simulations
Will Glass-Husain
www.forio.com