Security Concerns with User-Customized JasperReports

[monteiro.mateust]

Hi everyone,

I'm currently facing a security issue in my production environment where I allow end-users to customize and create their own reports using JasperReports. Users can upload their reports, which sometimes are just a .jrxml file, but other times they can be a .zip file containing multiple .jrxml files for execution. This setup makes the user environment quite dynamic and adaptable to their needs.

The problem I'm encountering is related to security. Since users can include Java scripts within their Jasper reports, there's a risk that malicious Java code could be executed. This code runs with root privileges within the container, giving it potential access to my cluster's internal network and other critical resources.

I've been searching for a standard way to address these security concerns. I looked into the compiler properties that JasperReports offers, and the only one that seemed relevant was "net.sf.jasperreports.compiler.classpath." However, modifying the classpath at the report execution time doesn't seem to be a viable approach in my case.

Does anyone have any ideas or suggestions? Should I be looking at environment/cluster-level solutions, or is there a way to run JasperReports in a sandboxed mode to mitigate these risks?

Thank you in advance for your help!

Let me know if there are any additional details you'd like to include or any further adjustments you need!

I attached an .jrxml for example.

fake_report.zip

[lucianc]

There are two ways to prevent such cases.

The first is to set the net.sf.jasperreports.report.class.filter.enabled property to true.  That restricts the classes that are allowed to be used in report expressions.  You can see the classes allowed by default (note that some are required internally) here, and you can add further classes if required.

The second solution is to run Java with a security manager (as in -Djava.security.manager -Djava.security.policy=..) and then use net.sf.jasperreports.engine.util.JRClassLoader.setProtectionDomain() or setProtectionDomainFactory() to specify a protection domain to be used for the code compiled from report expressions.

Regards,

Lucian