Changeset 374


Ignore:
Timestamp:
Apr 23, 2010, 11:02:31 AM (7 years ago)
Author:
duh
Message:
  • added crypto plugin
  • implemented blowfish encryption in Wizard Tag Library
  • implemented blowfish descryption in TemplateEditorController?
  • added shared secret configuration to Config.groovy
Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/application.properties

    r372 r374  
    11#Grails Metadata file
    2 #Tue Apr 20 16:47:44 CEST 2010
     2#Fri Apr 23 10:43:43 CEST 2010
    33app.grails.version=1.2.2
    44app.name=gscf
    55app.servlet.version=2.4
    66app.version=0.1.4
     7plugins.crypto=2.0
    78plugins.db-util=0.4
    89plugins.hibernate=1.2.2
    910plugins.jquery=1.4.1.1
    1011plugins.mail=0.9
    11 plugins.nadd-neutralizer=0.1
     12#plugins.nadd-neutralizer=0.1
    1213plugins.nimble=0.3-SNAPSHOT
    1314plugins.searchable=0.5.5
  • trunk/grails-app/conf/Config.groovy

    r247 r374  
    8484        }
    8585}
     86
     87// cryptography settings
     88crypto {
     89        shared.secret = "U73reG*mE^\$t@7s!e%"
     90}
  • trunk/grails-app/controllers/dbnp/studycapturing/TemplateEditorController.groovy

    r373 r374  
    1616import dbnp.data.*
    1717import dbnp.studycapturing.*
     18import cr.co.arquetipos.crypto.Blowfish
    1819
    1920class TemplateEditorController {
     
    2627                if (params.entity) {
    2728                        // decode entity get parameter
    28                         entity = new String(params.entity.toString().decodeBase64())
     29                        if (grailsApplication.config.crypto) {
     30                                // generate a Blowfish encrypted and Base64 encoded string.
     31                                entity = Blowfish.decryptBase64(
     32                                        params.entity,
     33                                        grailsApplication.config.crypto.shared.secret
     34                                )
     35                        } else {
     36                                // base64 only; this is INSECURE! Even though it is not
     37                                // very likely, it is possible to exploit this and have
     38                                // Grails dynamically instantiate whatever class you like.
     39                                // If that constructor does something harmfull this could
     40                                // be dangerous. Hence, use encryption (above) instead...
     41                                entity = new String(params.entity.toString().decodeBase64())
     42                        }
    2943                }
    3044
  • trunk/grails-app/taglib/dbnp/studycapturing/WizardTagLib.groovy

    r372 r374  
    44import dbnp.studycapturing.*
    55import dbnp.data.*
     6import cr.co.arquetipos.crypto.Blowfish
    67
    78/**
     
    564565                def entity = attrs.remove('entity')
    565566
    566                 // add the entity class name to the element as
    567                 // a base64 encoded string.
    568                 // TODO: encrypt this, instead of using base64!
    569                 //       As this class is instantiated elsewhere
    570                 //       this is a security hazard!
    571                 //               @see TemplateEditorController
    572                 attrs['entity'] = entity.toString().replaceAll(/^class /,'').bytes.encodeBase64()
     567                // add the entity class name to the element
     568                // do we have crypto information available?
     569                if (grailsApplication.config.crypto) {
     570                        // generate a Blowfish encrypted and Base64 encoded string.
     571                        attrs['entity'] = Blowfish.encryptBase64(
     572                                entity.toString().replaceAll(/^class /, ''),
     573                                grailsApplication.config.crypto.shared.secret
     574                        )
     575                } else {
     576                        // base64 only; this is INSECURE! As this class
     577                        // is instantiated elsewehere. Possibly exploitable!
     578                        attrs['entity'] = entity.toString().replaceAll(/^class /, '').bytes.encodeBase64()
     579                }
    573580
    574581                // fetch templates
Note: See TracChangeset for help on using the changeset viewer.