Changeset 374 for trunk/grails-app

Timestamp:

Apr 23, 2010, 11:02:31 AM (11 years ago)

Author:

duh

Message:

• added crypto plugin
• implemented blowfish encryption in Wizard Tag Library
• implemented blowfish descryption in TemplateEditorController?
• added shared secret configuration to Config.groovy

Location:

trunk/grails-app

Files:

• conf/Config.groovy (modified) (1 diff)
• controllers/dbnp/studycapturing/TemplateEditorController.groovy (modified) (2 diffs)
• taglib/dbnp/studycapturing/WizardTagLib.groovy (modified) (2 diffs)

trunk/grails-app/conf/Config.groovy

@@ -84 +84 @@
         }
 }
+
+// cryptography settings
+crypto {
+        shared.secret = "U73reG*mE^\$t@7s!e%"
+}

trunk/grails-app/controllers/dbnp/studycapturing/TemplateEditorController.groovy

@@ -16 +16 @@
 import dbnp.data.*
 import dbnp.studycapturing.*
+import cr.co.arquetipos.crypto.Blowfish
 
 class TemplateEditorController {
@@ -26 +27 @@
                 if (params.entity) {
                         // decode entity get parameter
-                        entity = new String(params.entity.toString().decodeBase64())
+                        if (grailsApplication.config.crypto) {
+                                // generate a Blowfish encrypted and Base64 encoded string.
+                                entity = Blowfish.decryptBase64(
+                                        params.entity,
+                                        grailsApplication.config.crypto.shared.secret
+                                )
+                        } else {
+                                // base64 only; this is INSECURE! Even though it is not
+                                // very likely, it is possible to exploit this and have
+                                // Grails dynamically instantiate whatever class you like.
+                                // If that constructor does something harmfull this could
+                                // be dangerous. Hence, use encryption (above) instead...
+                                entity = new String(params.entity.toString().decodeBase64())
+                        }
                 }
 

trunk/grails-app/taglib/dbnp/studycapturing/WizardTagLib.groovy

@@ -4 +4 @@
 import dbnp.studycapturing.*
 import dbnp.data.*
+import cr.co.arquetipos.crypto.Blowfish
 
 /**
@@ -564 +565 @@
                 def entity = attrs.remove('entity')
 
-                // add the entity class name to the element as
-                // a base64 encoded string.
-                // TODO: encrypt this, instead of using base64!
-                //       As this class is instantiated elsewhere
-                //       this is a security hazard!
-                //               @see TemplateEditorController
-                attrs['entity'] = entity.toString().replaceAll(/^class /,'').bytes.encodeBase64()
+                // add the entity class name to the element
+                // do we have crypto information available?
+                if (grailsApplication.config.crypto) {
+                        // generate a Blowfish encrypted and Base64 encoded string.
+                        attrs['entity'] = Blowfish.encryptBase64(
+                                entity.toString().replaceAll(/^class /, ''),
+                                grailsApplication.config.crypto.shared.secret
+                        )
+                } else {
+                        // base64 only; this is INSECURE! As this class
+                        // is instantiated elsewehere. Possibly exploitable!
+                        attrs['entity'] = entity.toString().replaceAll(/^class /, '').bytes.encodeBase64()
+                }
 
                 // fetch templates