Security of Script Jobs and Functions

Jedox Integrator contains several generic, mainly script-based, standard components:

  • Functions: Groovy, JavaScript, Java
  • Transform: RScript
  • Jobs: Groovy, JavaScript

The authorizations inside of the script are those of the OS user for the service JedoxSuiteTomcatService. By assigning limited file system and network access to this user on the OS (Windows and Linux), all script-based components are restricted.

Note that this restriction applies also to the complete Jedox installation.

Deactivation of Integrator components

Unused Integrator server components can be set to inactive in this way:

In file <Installation Path>\tomcat\webapps\etlserver\config\customer\component.xml add a section for the component with attribute status="inactive" (e.g. by copying the corresponding section from file .\config\standard\component.xml):

Copy
<jobs>     
<job>         
<component name="JavaScript" class="com.jedox.etl.components.job.JavaScript" status="inactive">         
</component>     
<job>     
</jobs>

Restart JedoxSuiteTomcatService

Groovy Sandbox

The Groovy sandbox allows the precise definition of Java packages and classes that are allowed to be used in the function and job of type Groovy. By default, the Groovy sandbox is disabled and all Java classes are allowed.

The Groovy Sandbox can be configured in <Installation Path>\tomcat\webapps\etlserver\config\groovy.xml:

SettingDescription
<security enabled="true">Enables the Groovy Sandbox
<defaults>true</defaults>

Allows the usage of some basic Java classes used e.g. for arithmetical operations: Boolean, String, Integer, Double, Long, Float, Short, Byte, Character, BigDecimal, BigInteger, Date, Math, Calendar, GregorianCalendar, StringBuilder, StringBuffer and ETLLogger

<apis>true</apis> Allows the usage of the Integrator Scripting API e.g. via API.executeJob()
(see: https://knowledgebase.jedox.com/knowledgebase/scripting-api/ )
<allows>

A safelist of Java classes and packages which are explicitly allowed. It includes: groovy.time.*, groovy.sql.*, java.math.*, java.text.*, java.util.*, com.jedox.palojlib.main.*, com.jedox.palojlib.interfaces.*

<denies>

A blocklist of Java classes and packages which are explicitly not allowed for usage. First the allowed list is evaluated and then the deny list is explicitly forbidden.

Example of <allows> and <denies> to allow all classes from package java.util except the class java.util.HashMap:

<allows>
<allow>java.util.*</allow>
</allows>

<denies>
<deny>java.util.HashMap</deny>
</denies>

Note: the usage of the Groovy Sandbox may result in a slight decrease in performance of Groovy functions and jobs for some cases, especially if many allow/deny rules are defined and many different classes are used.

JavaScript

Securing the execution of JavaScript scripts is done with the help of runtime checks. Enabling runtime checks for a JavaScript function or job prevents the usage of any Java functionality. The script engine, restricted to the basic JavaScript functionality, runs in a secure mode without access to any external resources.

Runtime Checks can be configured in <InstallationPath>\tomcat\webapps\etlserver\config\config.xml.

Copy
<executions>

  <parameter name="secureJS">true</parameter>

It is not possible to configure the allowed or denied packages or classes.

Updated September 27, 2022