-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Docker image or Java Sandboxing #1
Comments
Security is a real concern for our team. For example, if you expose some PlantUML server on the Internet, you will have very different concerns as if you simply run locally plantuml.jar with your own diagrams (because you will then have no control about which diagrams will be generated by your users). We have documented the security profile https://plantuml.com/security you can use when deploying PlantUML. This page is generated from a openwiki http://alphadoc.plantuml.com/doc/markdown/en/security which accepts different syntaxes (markdown/asciidoc/dokuwiki).
About dependencies, situation is very simple: we use two external libraries (not even Log4J!):
We probably need a collection of several permissions.txt |
Thanks a lot! I suggested making this a default in pandoc-plot in LaurentRDC/pandoc-plot#51 Will try to work on a permissions.txt or recommended set of CLIs for typical Pandoc-based workflows. |
And basically, once the required paths for running PlantUML this way are clear, also the required volume settings for a Docker file are clear. I leave this issue open for the moment in case others want to contribute to such a Docker file for PlantUML. |
Hi, PlantUML is great! But despite open-source, it is also a relatively large executable that will be run in many environments with broad access rights, e.g. full-disk access, network, etc. In the light of Supply Chain Attacks (e.g. dependencies become compromised by malicious code) etc., it would be good to isolate PlantUML from the host system.
There are two immediate directions:
.jar
.I am not familiar with the complex Java Security Model, but it seems possible to provide a security permissions file and include that when invoking the JRE.
So for instance, one could limit it to reading and writing the current working directory and the stuff necessary to run the Graphviz engine.
My key point is that it should be in a transparent way, e.g. a separate
permissions.txt
so that it is open for quick inspection, like so:java -Djava.security.manager -Djava.security.policy=permissions.txt -jar plantuml.jar sequenceDiagram.txt
If hidden in the source-code, it is inaccessible for inspection and requires users to "trust" the binary. Which is against state-of-the-art "minimal trust" approaches.
Requires Actions, IMO:
permissions.txt
. I think this will not be a lot of effort if one knows the inner mechanics of PlantUML, but hugely contain potential risks.Think Log4J to get a grasp of what trouble, effort, and reputation risk is at stake ;-).
The text was updated successfully, but these errors were encountered: