Security bypass using !include for hosted plantuml

[jarv]

The default behavior of plantuml is that you cannot include files on the filesystem, for security reasons as mentioned in https://forum.plantuml.net/9282/can-i-disable-include-and-includeurl-on-plantuml-server

It's possible to bypass this restriction however, take the following example:

@startuml
title
!include /etc/passwd
end title
@enduml

Also if I load the diagram link again, I get the same error as expected:

http://localhost:8080/png/AyaioKdbKipCIyufJKbLq4yjITOlI2mkBa_XIirBKIW1IGC0

If you restart the application, and go directly to the /png endpoint, instead of the landing page, you can bypass this restriction:

To reproduce

• docker run -d -p 8080:8080 plantuml/plantuml-server:latest
• Navigate to http://localhost:8080/png/AyaioKdbKipCIyufJKbLq4yjITOlI2mkBa_XIirBKIW1IGC0

If I navigate to http://localhost:8080 first, then go to http://localhost:8080/png/AyaioKdbKipCIyufJKbLq4yjITOlI2mkBa_XIirBKIW1IGC0 it will be blocked.

I suspect there is some initialization happening when you go the main page, this is why you don't see this behavior on http://www.plantuml.com/plantuml , but for running plantuml on a fleet where application restarts are common, this ends up being a bigger problem.

[bharatrajagopalan]

Hi

As a variant to this issue can we consider plantuml.include.path as an exception which can be allowed rather than blocking all includes?

I should be able to specify that in my jvm arguments for the server, so that i can include only the files available in that search path. This makes it flexible to manage esp. in cases, when the project has multiple smaller plantuml files which are included in multiple files - makes it easy to modularise

Right now this is a blanket ban and breaks my projects when i switch from using the jar to the server. I have currently enabled ALLOW_INCLUDE=true in my environment variables to work around this which is fine since i am just running tomcat on my local machine but obviously wouldn't want this running on a server.

Bharat

[arnaudroques]

@bharatrajagopalan Thanks for your suggestion about plantuml.include.path exception suggestion. This is a brilliant idea! We need some time to safely implements this. We'll post a message here when this will be ready. Regards, Arnaud

[bharatrajagopalan]

@arnaudroques Brilliant Thank you! Will keep an eye out for this!

I am hopefully am not getting too greedy, but the other bit I was thinking was that plantuml.include.path could also be designed to either accept an url or a file or both

e.g. if i want to include files from a url i have to currently specify as below !include http://domain:port/path1/path2/file1 !include http://domain:port/path1/path3/file2

instead if i could just specify plantuml.include.path="http://domain:port/path1" !include path2/file1 include path3/file2

Currently i can do (with ALLOW_INCLUDE=true) plantuml.include.path=/path-to/path1

!include path2/file1 !include path3/file2

So being able to specify url or file path or both in plantuml.include.path (e.g. plantuml.include.path="/path-to/path1,http://domain:port/path1/") this will basically maximise flexibilitywithout needing to change my puml files at all irrespective of the whether i use jar or server

[arnaudroques]

With last beta http://beta.plantuml.net/plantuml.jar and http://beta.plantuml.net/plantuml.war you can now include files which parent folder are listed in plantuml.include.path even if ALLOW_PLANTUML_INCLUDE have been set to false.

It will give better control on what users might include.

This is really a beta, with very few tests done, so feedback is welcome.

@bharatrajagopalan Your suggestion about allowing http in plantuml.include.path is also nice. Could you open another issue about it ? We don't want to mix features in this issue. Thanks!

[bharatrajagopalan]

@arnaudroques Thank you. In the process of testing the beta jar

I opened https://github.com/plantuml/plantuml-server/issues/129

ref allowing http in plantuml.include.path

[bharatrajagopalan]

@arnaudroques i could be wrong, but the beta war seems to behave exactly the same as the stable one?

i.e. it seems to need " export ALLOW_PLANTUML_INCLUDE=true" set in the app server environment variables to include any path (including those set in plantuml.include.path)

Cleaned my tomcat app folder to make sure that i wasn't using an older version by accident and loaded from the beta link you posted.

Edit: It looks like the beta war breaks !include <http url>. It throws a null pointer exception when using this

The following plantuml breaks this

@startuml
!include https://raw.githubusercontent.com/bharatrajagopalan/plantuml-styles/master/sequence_diagram_skin.pu

'!include sequence_diagram_skin.pu 

actor Coworker

System1->System2:test

c->d: lets eat
activate c
  activate d
    d->d: do i want to eat
    alt if d wants to eat
      d-->c: This is fast
    else if d doesn't want to eat
      d-->c: naaah
      deactivate d

      Abe->Cain: I need time for the architecture [[http://plantuml.com]]
    end 
deactivate c
@enduml

[saumyajyoti]

Not able to include a file from absolute path mentioned in server , the file is in resource directory in server system. Using Jetty server.

java -DALLOW_PLANTUML_INCLUDE=true -Dplantuml.include.path="C:/jetty/mybase/webapps/plantuml/resource" -jar ..\start.jar

[bharatrajagopalan]

@saumyajyoti you are passing the ALLOW_PLANTUML_INCLUDE as a Java argument.

You need to set it as an environment variable in your shell

[saumyajyoti]

@saumyajyoti you are passing the ALLOW_PLANTUML_INCLUDE as a Java argument.

You need to set it as an environment variable in your shell

Thanks. This worked.