Process engine js sandboxing

Author: marijnritense

core/src/main/java/com/ritense/valtimo/autoconfigure/CamundaContextConfiguration.java

@@ -17,9 +17,12 @@
 package com.ritense.valtimo.autoconfigure;
 
 import com.ritense.valtimo.CamundaWhitelistedBeansPlugin;
+import com.ritense.valtimo.ScriptingWhitelistPlugin;
 import com.ritense.valtimo.contract.annotation.ProcessBean;
 import java.util.Map;
+import java.util.Set;
 import org.camunda.bpm.spring.boot.starter.configuration.Ordering;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.ApplicationContext;
@@ -28,16 +31,24 @@
 import org.springframework.core.annotation.Order;
 
 @AutoConfiguration
-@ConditionalOnProperty(prefix = "valtimo.camunda", name = "bean-whitelisting", havingValue = "true", matchIfMissing = true)
 public class CamundaContextConfiguration {
 
     @Bean
     @Order(Ordering.DEFAULT_ORDER - 1)
+    @ConditionalOnProperty(prefix = "valtimo.camunda", name = "bean-whitelisting", havingValue = "true", matchIfMissing = true)
     public CamundaWhitelistedBeansPlugin camundaWhitelistedBeansPlugin(
         @Lazy @ProcessBean Map<String, Object> processBeans,
         ApplicationContext applicationContext
     ) {
         return new CamundaWhitelistedBeansPlugin(processBeans, applicationContext);
     }
 
+    @Bean
+    @Order(Ordering.DEFAULT_ORDER - 1)
+    public ScriptingWhitelistPlugin scriptingWhitelistPlugin(
+        @Value("valtimo.camunda.scripting.allowedClasses") Set<String> allowedScriptingClasses
+    ) {
+        return new ScriptingWhitelistPlugin(allowedScriptingClasses);
+    }
+
 }

core/src/main/kotlin/com/ritense/valtimo/AllowedClassesScriptEngineResolver.kt

@@ -0,0 +1,65 @@
+/*
+ * Copyright 2015-2025 Ritense BV, the Netherlands.
+ *
+ * Licensed under EUPL, Version 1.2 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.ritense.valtimo
+
+import com.oracle.truffle.js.scriptengine.GraalJSScriptEngine
+import org.camunda.bpm.engine.impl.scripting.engine.DefaultScriptEngineResolver
+import org.graalvm.polyglot.Context
+import org.graalvm.polyglot.HostAccess
+import javax.script.ScriptEngine
+import javax.script.ScriptEngineManager
+
+class AllowedClassesScriptEngineResolver(
+    scriptEngineManager: ScriptEngineManager,
+    otherAllowedClasses: Set<String> = emptySet()
+) : DefaultScriptEngineResolver(scriptEngineManager) {
+    val ALL_ALLOWED = ALLOWED + otherAllowedClasses
+
+    override fun getJavaScriptScriptEngine(language: String?): ScriptEngine {
+        val ctx = Context.newBuilder("js")
+            .allowHostAccess(HostAccess.ALL)
+            .allowHostClassLookup(ALL_ALLOWED::contains)
+
+        return GraalJSScriptEngine.create(null, ctx)
+    }
+
+    companion object {
+        private val ALLOWED = mutableSetOf<String?>(
+            "java.util.ArrayList",
+            "org.joda.time.DateTime",
+            "java.util.Date",
+            "java.lang.Math",
+            "org.camunda.spin.Spin",
+            //java.time classes
+            "java.time.Clock",
+            "java.time.Duration",
+            "java.time.Instant",
+            "java.time.LocalDate",
+            "java.time.LocalDateTime",
+            "java.time.LocalTime",
+            "java.time.MonthDay",
+            "java.time.OffsetDateTime",
+            "java.time.OffsetTime",
+            "java.time.Period",
+            "java.time.Year",
+            "java.time.YearMonth",
+            "java.time.ZonedDateTime",
+            "java.time.ZoneId",
+            "java.time.ZoneOffset",
+        )
+    }
+}

core/src/main/kotlin/com/ritense/valtimo/ScriptingWhitelistPlugin.kt

@@ -0,0 +1,39 @@
+/*
+ *  Copyright 2015-2024 Ritense BV, the Netherlands.
+ *
+ *  Licensed under EUPL, Version 1.2 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" basis,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package com.ritense.valtimo
+
+import mu.KotlinLogging
+import org.camunda.bpm.engine.impl.cfg.AbstractProcessEnginePlugin
+import org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl
+import javax.script.ScriptEngineManager
+
+class ScriptingWhitelistPlugin(
+    private val allowedScriptingClasses: Set<String> = emptySet()
+) : AbstractProcessEnginePlugin() {
+    override fun preInit(processEngineConfiguration: ProcessEngineConfigurationImpl?) {
+        logger.debug { "Registering allowed classes for scripting..." }
+        requireNotNull(processEngineConfiguration) { "No process engine configuration found. Failed to register allowed scripting classes." }
+
+        processEngineConfiguration.setConfigureScriptEngineHostAccess(false)
+        processEngineConfiguration.setEnableScriptEngineLoadExternalResources(false)
+        processEngineConfiguration.setScriptEngineResolver(AllowedClassesScriptEngineResolver(ScriptEngineManager(), allowedScriptingClasses))
+    }
+
+    companion object {
+        val logger = KotlinLogging.logger {}
+    }
+}

core/src/test/kotlin/com/ritense/valtimo/scripttask/JavascriptScriptTaskProcessIntTest.kt

@@ -20,7 +20,10 @@ import com.ritense.authorization.AuthorizationContext.Companion.runWithoutAuthor
 import com.ritense.valtimo.BaseIntegrationTest
 import com.ritense.valtimo.service.CamundaProcessService
 import org.camunda.bpm.engine.HistoryService
+import org.camunda.bpm.engine.ScriptEvaluationException
 import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertDoesNotThrow
+import org.junit.jupiter.api.assertThrows
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.transaction.annotation.Transactional
 import java.util.UUID
@@ -52,4 +55,45 @@ class JavascriptScriptTaskProcessIntTest : BaseIntegrationTest() {
             .value
         assertEquals(3, c)
     }
+
+    @Test
+    fun `whitelisted classes should be allowed in script tasks`() {
+
+        assertDoesNotThrow {
+            runWithoutAuthorization {
+                camundaProcessService.startProcess(
+                    "javascript-script-task-process-allowed",
+                    UUID.randomUUID().toString(),
+                    emptyMap()
+                ).processInstanceDto
+            }
+        }
+    }
+
+    @Test
+    fun `default whitelisted classes should be allowed in script tasks`() {
+
+        assertDoesNotThrow {
+            runWithoutAuthorization {
+                camundaProcessService.startProcess(
+                    "javascript-script-task-process-default-allowed",
+                    UUID.randomUUID().toString(),
+                    emptyMap()
+                ).processInstanceDto
+            }
+        }
+    }
+
+    @Test
+    fun `non-whitelisted classes should not be allowed in script tasks`() {
+        assertThrows<ScriptEvaluationException> {
+            runWithoutAuthorization {
+                camundaProcessService.startProcess(
+                    "javascript-script-task-process-unallowed",
+                    UUID.randomUUID().toString(),
+                    emptyMap()
+                ).processInstanceDto
+            }
+        }
+    }
 }

core/src/test/resources/bpmn/javascript-script-task-process-allowed.bpmn

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:camunda="http://camunda.org/schema/1.0/bpmn" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:modeler="http://camunda.org/schema/modeler/1.0" id="Definitions_18vfwpp" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="5.23.0" modeler:executionPlatform="Camunda Platform" modeler:executionPlatformVersion="7.19.0">
+  <bpmn:process id="javascript-script-task-process-allowed" name="Javascript script task process" isExecutable="true" camunda:historyTimeToLive="180">
+    <bpmn:startEvent id="StartEvent_1">
+      <bpmn:outgoing>Flow_0kymcf3</bpmn:outgoing>
+    </bpmn:startEvent>
+    <bpmn:sequenceFlow id="Flow_0kymcf3" sourceRef="StartEvent_1" targetRef="Activity_1wy7vpn" />
+    <bpmn:endEvent id="Event_0k1400n">
+      <bpmn:incoming>Flow_1muqoyt</bpmn:incoming>
+    </bpmn:endEvent>
+    <bpmn:sequenceFlow id="Flow_1muqoyt" sourceRef="Activity_1wy7vpn" targetRef="Event_0k1400n" />
+    <bpmn:scriptTask id="Activity_1wy7vpn" name="Sum" scriptFormat="javascript">
+      <bpmn:incoming>Flow_0kymcf3</bpmn:incoming>
+      <bpmn:outgoing>Flow_1muqoyt</bpmn:outgoing>
+      <bpmn:script>const Math = Java.type("java.lang.Math");
+
+const result = Math.pow(2,3);</bpmn:script>
+    </bpmn:scriptTask>
+  </bpmn:process>
+  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
+    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="javascript-script-task-process-allowed">
+      <bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
+        <dc:Bounds x="179" y="99" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_0k1400n_di" bpmnElement="Event_0k1400n">
+        <dc:Bounds x="432" y="99" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_0zbtk6u_di" bpmnElement="Activity_1wy7vpn">
+        <dc:Bounds x="270" y="77" width="100" height="80" />
+        <bpmndi:BPMNLabel />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Flow_0kymcf3_di" bpmnElement="Flow_0kymcf3">
+        <di:waypoint x="215" y="117" />
+        <di:waypoint x="270" y="117" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1muqoyt_di" bpmnElement="Flow_1muqoyt">
+        <di:waypoint x="370" y="117" />
+        <di:waypoint x="432" y="117" />
+      </bpmndi:BPMNEdge>
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+</bpmn:definitions>

core/src/test/resources/bpmn/javascript-script-task-process-default-allowed.bpmn

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:camunda="http://camunda.org/schema/1.0/bpmn" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:modeler="http://camunda.org/schema/modeler/1.0" id="Definitions_18vfwpp" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="5.23.0" modeler:executionPlatform="Camunda Platform" modeler:executionPlatformVersion="7.19.0">
+  <bpmn:process id="javascript-script-task-process-default-allowed" name="Javascript script task process" isExecutable="true" camunda:historyTimeToLive="180">
+    <bpmn:startEvent id="StartEvent_1">
+      <bpmn:outgoing>Flow_0kymcf3</bpmn:outgoing>
+    </bpmn:startEvent>
+    <bpmn:sequenceFlow id="Flow_0kymcf3" sourceRef="StartEvent_1" targetRef="Activity_1wy7vpn" />
+    <bpmn:endEvent id="Event_0k1400n">
+      <bpmn:incoming>Flow_1muqoyt</bpmn:incoming>
+    </bpmn:endEvent>
+    <bpmn:sequenceFlow id="Flow_1muqoyt" sourceRef="Activity_1wy7vpn" targetRef="Event_0k1400n" />
+    <bpmn:scriptTask id="Activity_1wy7vpn" name="Sum" scriptFormat="javascript">
+      <bpmn:incoming>Flow_0kymcf3</bpmn:incoming>
+      <bpmn:outgoing>Flow_1muqoyt</bpmn:outgoing>
+      <bpmn:script>const LocalDateTime = Java.type("java.time.LocalDateTime");
+
+const result = LocalDateTime.now()</bpmn:script>
+    </bpmn:scriptTask>
+  </bpmn:process>
+  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
+    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="javascript-script-task-process-default-allowed">
+      <bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
+        <dc:Bounds x="179" y="99" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_0k1400n_di" bpmnElement="Event_0k1400n">
+        <dc:Bounds x="432" y="99" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_0zbtk6u_di" bpmnElement="Activity_1wy7vpn">
+        <dc:Bounds x="270" y="77" width="100" height="80" />
+        <bpmndi:BPMNLabel />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Flow_0kymcf3_di" bpmnElement="Flow_0kymcf3">
+        <di:waypoint x="215" y="117" />
+        <di:waypoint x="270" y="117" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1muqoyt_di" bpmnElement="Flow_1muqoyt">
+        <di:waypoint x="370" y="117" />
+        <di:waypoint x="432" y="117" />
+      </bpmndi:BPMNEdge>
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+</bpmn:definitions>

core/src/test/resources/bpmn/javascript-script-task-process-unallowed.bpmn

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:camunda="http://camunda.org/schema/1.0/bpmn" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xmlns:modeler="http://camunda.org/schema/modeler/1.0" id="Definitions_18vfwpp" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="5.23.0" modeler:executionPlatform="Camunda Platform" modeler:executionPlatformVersion="7.19.0">
+  <bpmn:process id="javascript-script-task-process-unallowed" name="Javascript script task process" isExecutable="true" camunda:historyTimeToLive="180">
+    <bpmn:startEvent id="StartEvent_1">
+      <bpmn:outgoing>Flow_0kymcf3</bpmn:outgoing>
+    </bpmn:startEvent>
+    <bpmn:sequenceFlow id="Flow_0kymcf3" sourceRef="StartEvent_1" targetRef="Activity_1wy7vpn" />
+    <bpmn:endEvent id="Event_0k1400n">
+      <bpmn:incoming>Flow_1muqoyt</bpmn:incoming>
+    </bpmn:endEvent>
+    <bpmn:sequenceFlow id="Flow_1muqoyt" sourceRef="Activity_1wy7vpn" targetRef="Event_0k1400n" />
+    <bpmn:scriptTask id="Activity_1wy7vpn" name="Sum" scriptFormat="javascript">
+      <bpmn:incoming>Flow_0kymcf3</bpmn:incoming>
+      <bpmn:outgoing>Flow_1muqoyt</bpmn:outgoing>
+      <bpmn:script>const HashMap = Java.type("java.util.HashMap");
+
+const result = new HashMap()</bpmn:script>
+    </bpmn:scriptTask>
+  </bpmn:process>
+  <bpmndi:BPMNDiagram id="BPMNDiagram_1">
+    <bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="javascript-script-task-process-unallowed">
+      <bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
+        <dc:Bounds x="179" y="99" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Event_0k1400n_di" bpmnElement="Event_0k1400n">
+        <dc:Bounds x="432" y="99" width="36" height="36" />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNShape id="Activity_0zbtk6u_di" bpmnElement="Activity_1wy7vpn">
+        <dc:Bounds x="270" y="77" width="100" height="80" />
+        <bpmndi:BPMNLabel />
+      </bpmndi:BPMNShape>
+      <bpmndi:BPMNEdge id="Flow_0kymcf3_di" bpmnElement="Flow_0kymcf3">
+        <di:waypoint x="215" y="117" />
+        <di:waypoint x="270" y="117" />
+      </bpmndi:BPMNEdge>
+      <bpmndi:BPMNEdge id="Flow_1muqoyt_di" bpmnElement="Flow_1muqoyt">
+        <di:waypoint x="370" y="117" />
+        <di:waypoint x="432" y="117" />
+      </bpmndi:BPMNEdge>
+    </bpmndi:BPMNPlane>
+  </bpmndi:BPMNDiagram>
+</bpmn:definitions>

core/src/test/resources/config/application.yml

@@ -51,6 +51,10 @@ valtimo:
         reminderTemplate: bpc-task-reminder
     plugin:
         encryption-secret: "abcdefghijklmnop"
+    camunda:
+        scripting:
+            allowedClasses:
+                - java.lang.Math
 
 aws:
     profile: ritense