feat(plantuml): allow to configure PlantUML security profile (#2004)

Author: ggrossetie

docs/modules/setup/pages/configuration.adoc

@@ -84,6 +84,21 @@ KROKI_PLANTUML_INCLUDE_WHITELIST:: The name of a file that consists of a list of
 KROKI_PLANTUML_INCLUDE_WHITELIST_0, KROKI_PLANTUML_INCLUDE_WHITELIST_1, ... KROKI_PLANTUML_INCLUDE_WHITELIST___N__:: One regex to add to the include whitelist per environment variable. Search will stop at the first empty or undefined integer number.
 KROKI_PLANTUML_ALLOW_INCLUDE:: Either `false` (default) or `true`. Determines if PlantUML will fetch `!include` directives that reference external URLs. For example, PlantUML allows the !import directive to pull fragments from the filesystem or a remote URL or the standard library.
 
+It's also possible to configure the security profile of PlantUML directly using `KROKI_PLANTUML_SECURITY_PROFILE`.
+
+`KROKI_PLANTUML_SECURITY_PROFILE`:: The PlantUML security profile. Accepted values are `UNSECURE`, `ALLOWLIST`, `INTERNET` and `SANDBOX`.
+`KROKI_PLANTUML_ALLOWLIST_URL`:: A URL pattern allowlist for PlantUML includes. Only effective when using the `ALLOWLIST` security profile.
+`KROKI_PLANTUML_ALLOWLIST_PATH`:: A path pattern allowlist for PlantUML includes. Only effective when using the `ALLOWLIST` security profile.
+
+By default, the security profile is inferred from the Kroki safe mode:
+
+[horizontal]
+`UNSAFE`:: `UNSECURE`
+`SAFE`:: `ALLOWLIST`
+`SECURE`:: `SANDBOX`
+
+For more information, see the https://plantuml.com/en/security[PlantUML security documentation].
+
 === Structurizr
 
 Structurizr's restricted mode is activated unless Kroki is running in `UNSAFE` mode:
@@ -310,4 +325,4 @@ If SSL is enabled, both `KROKI_SSL_KEY` (or `KROKI_SSL_KEY_PATH`) and `KROKI_SSL
 
 You can configure Open Telemetry tracing with the environment variables.
 
-https://opentelemetry.io/docs/languages/java/configuration/#environment-variables-and-system-properties
+https://opentelemetry.io/docs/languages/java/configuration/#environment-variables-and-system-properties

server/src/main/java/io/kroki/server/service/Plantuml.java

@@ -124,7 +124,7 @@ public String decode(String encoded) throws DecodeException {
         return DiagramSource.plantumlDecode(encoded);
       }
     };
-    this.plantumlCommand = new PlantumlCommand(config);
+    this.plantumlCommand = new PlantumlCommand(this.safeMode, config);
     this.ditaaCommand = new DitaaCommand(config);
     this.includeWhitelist = parseIncludeWhitelist(config);
     this.logging = new Logging(logger);

server/src/main/java/io/kroki/server/service/PlantumlCommand.java

@@ -4,6 +4,7 @@
 import io.kroki.server.action.Commander;
 import io.kroki.server.error.BadRequestException;
 import io.kroki.server.format.FileFormat;
+import io.kroki.server.security.SafeMode;
 import io.kroki.server.unit.TimeValue;
 import io.vertx.core.json.JsonObject;
 import org.slf4j.Logger;
@@ -26,12 +27,31 @@ public class PlantumlCommand {
   private static final Pattern ERROR_MESSAGE_RX = Pattern.compile(".*ERROR\\n(?<lineNumber>[0-9]+)\\n(?<cause>[^\\n]+)\\n.*", Pattern.MULTILINE | Pattern.DOTALL);
   private final String binPath;
   private final String includePath;
+  private final String allowListUrl;
+  private final String allowListPath;
+  private final String securityProfile;
   private final TimeValue convertTimeout;
   private final Commander commander;
 
-  public PlantumlCommand(JsonObject config) {
+  public PlantumlCommand(SafeMode safeMode, JsonObject config) {
     this.binPath = config.getString("KROKI_PLANTUML_BIN_PATH", "plantuml");
     this.includePath = config.getString("KROKI_PLANTUML_INCLUDE_PATH");
+    this.allowListUrl = config.getString("KROKI_PLANTUML_ALLOWLIST_URL");
+    this.allowListPath = config.getString("KROKI_PLANTUML_ALLOWLIST_PATH");
+    String defaultSecurityProfile;
+    switch (safeMode) {
+      case UNSAFE:
+        defaultSecurityProfile = "UNSECURE";
+        break;
+      case SAFE:
+        defaultSecurityProfile = "ALLOWLIST";
+        break;
+      case SECURE:
+      default:
+        defaultSecurityProfile = "SANDBOX";
+        break;
+    }
+    this.securityProfile = config.getString("KROKI_PLANTUML_SECURITY_PROFILE", defaultSecurityProfile);
     this.commander = new Commander(
       config,
       new CommandStatusHandler() {
@@ -74,8 +94,30 @@ public byte[] handle(int exitValue, byte[] stdout, byte[] stderr) {
   }
 
   public byte[] convert(String source, FileFormat format, JsonObject options) throws IOException, InterruptedException {
+    List<String> commandArgs = buildCommandArgs(format, options);
+
+    logger.debug("Executing PlantUML command: {}", commandArgs);
+
+    byte[] result = commander.execute(source.getBytes(), commandArgs.toArray(new String[0]));
+    if (format == FileFormat.BASE64) {
+      final String encodedBytes = "data:image/png;base64," + Base64.getUrlEncoder().encodeToString(result).replaceAll("\\s", "");
+      return encodedBytes.getBytes();
+    }
+    return result;
+  }
+
+  protected List<String> buildCommandArgs(FileFormat format, JsonObject options) {
     List<String> commands = new ArrayList<>();
     commands.add(binPath);
+    if (securityProfile != null) {
+      commands.add("-DPLANTUML_SECURITY_PROFILE=" + securityProfile);
+    }
+    if (allowListUrl != null) {
+      commands.add("-Dplantuml.allowlist.url=" + allowListUrl);
+    }
+    if (allowListPath != null) {
+      commands.add("-Dplantuml.allowlist.path=" + allowListPath);
+    }
     if (includePath != null) {
       commands.add("-Dplantuml.include.path=" + includePath);
     }
@@ -92,14 +134,6 @@ public byte[] convert(String source, FileFormat format, JsonObject options) thro
     if (no_metadata != null) {
       commands.add("-nometadata");
     }
-
-    logger.debug("Executing PlantUML command: {}", commands);
-
-    byte[] result = commander.execute(source.getBytes(), commands.toArray(new String[0]));
-    if (format == FileFormat.BASE64) {
-      final String encodedBytes = "data:image/png;base64," + Base64.getUrlEncoder().encodeToString(result).replaceAll("\\s", "");
-      return encodedBytes.getBytes();
-    }
-    return result;
+    return commands;
   }
 }

server/src/main/java/io/kroki/server/service/Structurizr.java

@@ -58,7 +58,23 @@ public String decode(String encoded) throws DecodeException {
         return DiagramSource.decode(encoded);
       }
     };
-    this.plantumlCommand = new PlantumlCommand(config);
+    this.plantumlCommand = createPlantumlCommand(this.safeMode, config);
+  }
+
+  protected static PlantumlCommand createPlantumlCommand(SafeMode safeMode, JsonObject config) {
+    String allowListUrl = config.getString("KROKI_PLANTUML_ALLOWLIST_URL");
+    JsonObject plantumlConfig = config.copy();
+    if (allowListUrl != null) {
+      allowListUrl += ";https://static.structurizr.com";
+    } else {
+      allowListUrl = "https://static.structurizr.com";
+    }
+    plantumlConfig.put("KROKI_PLANTUML_ALLOWLIST_URL", allowListUrl);
+    String plantumlSecurityProfile = plantumlConfig.getString("KROKI_PLANTUML_SECURITY_PROFILE");
+    if (plantumlSecurityProfile == null && safeMode.value >= SafeMode.SECURE.value) {
+      plantumlConfig.put("KROKI_PLANTUML_SECURITY_PROFILE", "ALLOWLIST");
+    }
+    return new PlantumlCommand(safeMode, plantumlConfig);
   }
 
   @Override

server/src/test/java/io/kroki/server/DownloadPlantumlNativeImage.java

@@ -8,19 +8,15 @@
 
 public class DownloadPlantumlNativeImage {
 
-  public static Future<PlantumlCommand> download(Vertx vertx) {
+  public static Future<String> download(Vertx vertx) {
     String plantumlVersion = new Plantuml(vertx, new JsonObject()).getVersion();
     String os = getOperatingSystemName();
     String arch = getArch();
     String zipName = "plantuml-" + os + "-" + arch + "-" + plantumlVersion + ".zip";
     String binaryExtension = getBinaryExtension(os);
     String binaryName = "plantuml-" + os + "-" + arch + "-" + plantumlVersion + binaryExtension;
     String downloadUrl = "https://github.com/yuzutech/plantuml/releases/download/v" + plantumlVersion + "/" + zipName;
-    return DownloadNativeImage.download(vertx, downloadUrl, "PlantUML", zipName, binaryName).map(plantumlBinPath -> {
-      JsonObject options = new JsonObject();
-      options.put("KROKI_PLANTUML_BIN_PATH", plantumlBinPath);
-      return new PlantumlCommand(options);
-    });
+    return DownloadNativeImage.download(vertx, downloadUrl, "PlantUML", zipName, binaryName);
   }
 
   private static String getBinaryExtension(String os) {

server/src/test/java/io/kroki/server/service/C4PlantumlServiceTest.java

@@ -28,14 +28,17 @@ public class C4PlantumlServiceTest {
 
   @BeforeAll
   @Timeout(60)
-  static void prepare(VertxTestContext context, Vertx vertx) throws InterruptedException {
+  static void prepare(VertxTestContext context, Vertx vertx) {
     Checkpoint checkpoint = context.checkpoint();
     DownloadPlantumlNativeImage.download(vertx).onComplete(event -> {
       if (event.failed()) {
         context.failNow(event.cause());
         return;
       }
-      plantumlCommand = event.result();
+      String plantumlBinPath = event.result();
+      JsonObject options = new JsonObject();
+      options.put("KROKI_PLANTUML_BIN_PATH", plantumlBinPath);
+      plantumlCommand = new PlantumlCommand(SafeMode.SECURE, options);
       checkpoint.flag();
     });
   }

server/src/test/java/io/kroki/server/service/PlantumlCommandTest.java

@@ -0,0 +1,55 @@
+package io.kroki.server.service;
+
+import io.kroki.server.format.FileFormat;
+import io.kroki.server.security.SafeMode;
+import io.vertx.core.json.JsonObject;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class PlantumlCommandTest {
+
+  @Test
+  public void should_use_sandbox_security_profile_by_default() {
+    JsonObject options = new JsonObject();
+    PlantumlCommand cmd = new PlantumlCommand(SafeMode.SECURE, options);
+    List<String> args = cmd.buildCommandArgs(FileFormat.SVG, options);
+    assertThat(args).contains("-DPLANTUML_SECURITY_PROFILE=SANDBOX");
+  }
+
+  @Test
+  public void should_map_unsafe_mode_to_security_profile() {
+    JsonObject options = new JsonObject();
+    PlantumlCommand cmd = new PlantumlCommand(SafeMode.UNSAFE, options);
+    List<String> args = cmd.buildCommandArgs(FileFormat.SVG, options);
+    assertThat(args).contains("-DPLANTUML_SECURITY_PROFILE=UNSECURE");
+  }
+
+  @Test
+  public void should_map_safe_mode_to_security_profile() {
+    JsonObject options = new JsonObject();
+    PlantumlCommand cmd = new PlantumlCommand(SafeMode.SAFE, options);
+    List<String> args = cmd.buildCommandArgs(FileFormat.SVG, options);
+    assertThat(args).contains("-DPLANTUML_SECURITY_PROFILE=ALLOWLIST");
+  }
+
+  @Test
+  public void should_set_allowlist_url() {
+    JsonObject options = new JsonObject();
+    options.put("KROKI_PLANTUML_ALLOWLIST_URL", "https://plantuml.com/;http://somelocalserver:8080/commons");
+    PlantumlCommand cmd = new PlantumlCommand(SafeMode.SAFE, options);
+    List<String> args = cmd.buildCommandArgs(FileFormat.SVG, options);
+    assertThat(args).contains("-Dplantuml.allowlist.url=https://plantuml.com/;http://somelocalserver:8080/commons");
+  }
+
+  @Test
+  public void should_set_allowlist_path() {
+    JsonObject options = new JsonObject();
+    options.put("KROKI_PLANTUML_ALLOWLIST_PATH", "/usr/common/:/usr/plantuml/");
+    PlantumlCommand cmd = new PlantumlCommand(SafeMode.SAFE, options);
+    List<String> args = cmd.buildCommandArgs(FileFormat.SVG, options);
+    assertThat(args).contains("-Dplantuml.allowlist.path=/usr/common/:/usr/plantuml/");
+  }
+}

server/src/test/java/io/kroki/server/service/PlantumlServiceTest.java

@@ -40,14 +40,17 @@ public class PlantumlServiceTest {
 
   @BeforeAll
   @Timeout(60)
-  static void prepare(VertxTestContext context, Vertx vertx) throws InterruptedException {
+  static void prepare(VertxTestContext context, Vertx vertx) {
     Checkpoint checkpoint = context.checkpoint();
     DownloadPlantumlNativeImage.download(vertx).onComplete(event -> {
       if (event.failed()) {
         context.failNow(event.cause());
         return;
       }
-      plantumlCommand = event.result();
+      String plantumlBinPath = event.result();
+      JsonObject options = new JsonObject();
+      options.put("KROKI_PLANTUML_BIN_PATH", plantumlBinPath);
+      plantumlCommand = new PlantumlCommand(SafeMode.SECURE, options);
       checkpoint.flag();
     });
   }

server/src/test/java/io/kroki/server/service/StructurizrServiceTest.java

@@ -42,14 +42,17 @@ public class StructurizrServiceTest {
 
   @BeforeAll
   @Timeout(60)
-  static void prepare(VertxTestContext context, Vertx vertx) throws InterruptedException {
+  static void prepare(VertxTestContext context, Vertx vertx) {
     Checkpoint checkpoint = context.checkpoint();
     DownloadPlantumlNativeImage.download(vertx).onComplete(event -> {
       if (event.failed()) {
         context.failNow(event.cause());
         return;
       }
-      plantumlCommand = event.result();
+      String plantumlBinPath = event.result();
+      JsonObject options = new JsonObject();
+      options.put("KROKI_PLANTUML_BIN_PATH", plantumlBinPath);
+      plantumlCommand = Structurizr.createPlantumlCommand(SafeMode.SAFE, options);
       checkpoint.flag();
     });
   }