-
-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security bypass using !include for hosted plantuml #122
Comments
Hi As a variant to this issue can we consider plantuml.include.path as an exception which can be allowed rather than blocking all includes? I should be able to specify that in my jvm arguments for the server, so that i can include only the files available in that search path. This makes it flexible to manage esp. in cases, when the project has multiple smaller plantuml files which are included in multiple files - makes it easy to modularise Right now this is a blanket ban and breaks my projects when i switch from using the jar to the server. I have currently enabled ALLOW_INCLUDE=true in my environment variables to work around this which is fine since i am just running tomcat on my local machine but obviously wouldn't want this running on a server. Bharat |
@bharatrajagopalan Thanks for your suggestion about plantuml.include.path exception suggestion. |
@arnaudroques Brilliant Thank you! Will keep an eye out for this! I am hopefully am not getting too greedy, but the other bit I was thinking was that plantuml.include.path could also be designed to either accept an url or a file or both e.g. if i want to include files from a url i have to currently specify as below instead if i could just specify Currently i can do (with ALLOW_INCLUDE=true) !include path2/file1 So being able to specify url or file path or both in plantuml.include.path (e.g. plantuml.include.path="/path-to/path1,http://domain:port/path1/") this will basically maximise flexibilitywithout needing to change my puml files at all irrespective of the whether i use jar or server |
With last beta http://beta.plantuml.net/plantuml.jar and http://beta.plantuml.net/plantuml.war you can now include files which parent folder are listed in It will give better control on what users might include. This is really a beta, with very few tests done, so feedback is welcome. @bharatrajagopalan Your suggestion about allowing http in |
@arnaudroques Thank you. In the process of testing the beta jar I opened ref allowing http in plantuml.include.path |
@arnaudroques i could be wrong, but the beta war seems to behave exactly the same as the stable one? i.e. it seems to need " export ALLOW_PLANTUML_INCLUDE=true" set in the app server environment variables to include any path (including those set in plantuml.include.path) Cleaned my tomcat app folder to make sure that i wasn't using an older version by accident and loaded from the beta link you posted. Edit: It looks like the beta war breaks !include <http url>. It throws a null pointer exception when using this The following plantuml breaks this
|
Not able to include a file from absolute path mentioned in server , the file is in resource directory in server system. Using Jetty server. java -DALLOW_PLANTUML_INCLUDE=true -Dplantuml.include.path="C:/jetty/mybase/webapps/plantuml/resource" -jar ..\start.jar |
@saumyajyoti you are passing the ALLOW_PLANTUML_INCLUDE as a Java argument. You need to set it as an environment variable in your shell |
Thanks. This worked. |
The default behavior of plantuml is that you cannot include files on the filesystem, for security reasons as mentioned in https://forum.plantuml.net/9282/can-i-disable-include-and-includeurl-on-plantuml-server
It's possible to bypass this restriction however, take the following example:
Also if I load the diagram link again, I get the same error as expected:
http://localhost:8080/png/AyaioKdbKipCIyufJKbLq4yjITOlI2mkBa_XIirBKIW1IGC0
If you restart the application, and go directly to the
/png
endpoint, instead of the landing page, you can bypass this restriction:To reproduce
docker run -d -p 8080:8080 plantuml/plantuml-server:latest
http://localhost:8080/png/AyaioKdbKipCIyufJKbLq4yjITOlI2mkBa_XIirBKIW1IGC0
If I navigate to http://localhost:8080 first, then go to http://localhost:8080/png/AyaioKdbKipCIyufJKbLq4yjITOlI2mkBa_XIirBKIW1IGC0 it will be blocked.
I suspect there is some initialization happening when you go the main page, this is why you don't see this behavior on http://www.plantuml.com/plantuml , but for running plantuml on a fleet where application restarts are common, this ends up being a bigger problem.
The text was updated successfully, but these errors were encountered: