Jasper Report Security Sandboxing - security

I am writing a Java web app which I would like to allow users to execute basic PDF reports. Normally I would use Jasper Reports for this. However this time I would like the users to be able to edit there own reports in iReport and upload them. Which should be straight forward enough.
That got me thinking, Jasper lets you effectively write code in the reports which gets executed when the report is generated. Is it possible to write a report which has full access to the Java API and therefore my web app. I don't want users being able to kill tomcat or worse still use the DAO api I have built to read other users data.
Does any one know if this is actually possible and if so can you sandbox it somehow. May be I could filter the reports XML before its complied some how?
Also does anyone know if the same applies to other open source reporting tools such as BIRT?

I'm releasing a web service [1] to allow developers to generate PDF using templates drawn on i-report,
So I had to solve the same problem, my first try was to use the Java Security Engine API, but it was too complex with a lot of required permissions.
So while I was searching how Heroku isolates each web app, I discovered the Linux Containers (LXC) [2], so i decided to isolate each "developer sandbox" in a lxc container.
It don't prevent users to shutdown the "sandboxed server", but if they do, they will power off only its own sandbox, other users sandbox won't be affected.
[1] http://reports.simpleservic.es/landing
[2] http://en.wikipedia.org/wiki/LXC

Have a look at the java-sandbox [1] which we use in our BI solution Reportserver [2]. I am currently preparing a blog-post which will explain how to run jasperreports in a sandboxed environment.
As for Birt, the very same applies there too. Here user's cannot directly write java code, but they can use Rhino which in the end has the same effect.
[1] http://blog.datenwerke.net/p/the-java-sandbox.html
[2] http://reportserver.datenwerke.net

Related

Accessing a C++ application from a webpage

I have created an interactive application in Visual C++ that has a graphical user interface and text output. The code is compiled and runs successfully on my computer.
I would like to make the application available for users to access and run via a website (and maybe email the results text). What do I need to do to achieve that?
Edit: I know that this question may look unresearched for many of you. The application I refer is a real scientific application. The question appears vague because I don't know where exactly to start. I did some browsing, but most was above my experience level. I am still looking, but I couldn't find a route yet.

SharePoint CSOM in .NET Core Azure function running on Linux

Looking for advice, not necessarily any actual code. I'm a consultant writing some de-duplication functionality into an existing SharePoint Online \ Azure functions solution for a client.
The requirement: I need to write an Azure function that pulls PDF's from a SharePoint library, so I can hash check it before running it through OCR (ComputerVision API), followed by some text processing and a final similarity check.
The challenge: The client environment is locked down to the n-th degree (financial institution) and I only have access to the Azure resource group I'm currently working in. The existing function app, used by other solutions, runs on runtime 2.0 and Linux. I need to use SharePoint CSOM to access the PDF's for the above mentioned checks, but runtime 2.0 only supports .NET Core (not .NET framework), and .NET Core doesn't support SharePoint CSOM. There is a workaround to get CSOM working in .NET Core by fiddling with target build settings, but then it still doesn't run on Linux. Logic Apps doesn't give me the granularity to run all the checks and balances I need to, and SPFX isn't really a solution to do nightly automated runs without some garish compromises. VM's are out.
Any thoughts or suggestions to get this up and running without shooting myself or my client in the foot?
Here's two options:
Using the raw REST APIs with .Net Core running in Linux. You'll need to figure out how to generate the auth token. I know it can be done but don't have sample code for you at this time.
If Node is an option for you, you can use PnP JS in a Node Azure function. https://spblog.net/post/2017/06/07/Using-PnP-JS-Core-(sp-pnp-js)-in-Nodejs-environment
Do not even bother trying to get the CSOM to work. Also I don't even see how SPFX will work in this case.

Is it possible to use Sonar Web reporting tool stand alone?

SonarQube is a tool use for code quality inspection, it is based on plugins. Sonar has built-in web reporting tool which shows analysis results on web page via different charts and UI controls.
My understanding is that: "Sonar provides different plugins for it's different functionalities, for example sonar-php is a plugin that can be used for analyzing php code, once the code is analyzed it represent the results on web page by mentioning different stats and graphs/charts."
If the above understanding is correct, I assumed Sonar use some kind of web reporting plugin to show all cool graphs and controls to display analysis results that is independent of data source and only responsible of presenting the provided data.
Now, my question is , Suppose I do have some data source , Is it possible to customize and use only that web reporting tool of Sonar to display results on web page ? or it's not possible and I have wrong assumption?
SonarQube is a code quality management tool. There is no specific web reporting tool to display whatever data you want.
If you want to analyze code, you can create a plugin to inject issues on specific part of the code for example. You may be interested by the documentation « Developing a Plugin »

adminLTE and VBscripts?

My goal is to use adminLTE (adminLTE) interface in a corporate setting which allows for VBA scripts to run to automate task which my non-tech savy team can accomplish much quicker than by doing them by hand. (pre-filling emails, providing inventory information, creating and printing forms automatically, integrating with stamps.com, reference and display a lot of excel data). From my understanding, the execution of VBA scripts in a web browser is not allowed.
What are my options for accomplishing my goal?
Do this in an HTA file?
Am I wrong about web browser executions of VB scripts?
Do I need to build an application in Visual Studio?
I have a team of three which need to access this and share data, so it's not like an entire enterprise spread across the nation or anything like that. Thanks.
Any and all thoughts are welcome.
This question is pretty broad - it's the same as asing "what are my options for executing an arbitrary EXE on an end user's computer from a browser." The whole point of browser based applications is to prevent this from happening for security reasons.
If your goal is to deploy VBA scripts to everyone in your organization - that's actually pretty easy - just create an automatically updating Excel addin. This approach is very common and easy to do (more info if needed).
To answer your questions:
Too broad
Yes you can do this in a HTA file but I don't recommend it and I don't think it does what you want.
You cannot run VBA within a browser in the traditional sense. An HTA from what I understand is essentially a desktop app that is written using HTML i.e. you couldn't deploy an HTA to example.com.
You can build a ASP.NET web app in Visual Studio and have your front end (e.g. Admin LTE) call an end point on the backend which then calls an EXE but that would be an EXE on the server and not the client.

SharePoint - Posting and Retrieving files Automatically via VBScript

I'm going to need to push and pull files from a SharePoint site that is not hosted by my company (it is external). I'm only going to get a few days (if that) to get this working so I don't have much time to experiment.
To add to my requirements/headaches, I'm going to have to implement this with VBScript. .Net would be preferred for me but for reasons beyond my control I have to use VBScript. I don't have direct access to my VBScript web server, so I won't be able to implement this in .NET and use that object from VBScript.
I'm looking for anything that would help me accomplish this goal quickly and effectively. I found this post and am wondering if the PUT/GET method used here would work for me?
http://weblogs.asp.net/bsimser/archive/2004/06/06/149673.aspx (I got this link from: Sharepoint API - How to Upload files to Sharepoint Doc Library from ASP.NET Web Application)
To top all of this off, I've never done any programming or administration of a SharePoint site. My knowledge of SharePoint is that of a user. I'm aware that there is an API from the few Google searches I did. However, my readings make me believe that my code would need to run on or in proximity to the SharePoint server. I don't believe I have the proximity I need to use the API.
Sincere thank yous!
Regards,
Frank
Progress Update: I'm still researching this. Tom pointed out that the example I had posted is probably from an old SharePoint version. His recommendation to use .Net to develop a prototype on Web Services is good but I'm hoping for more detailed answers.
I'm now wondering if I can accomplish what I need to accomplish using HTTP PUT and GETs. At my company, for a specific project we do use HTTP PUT and GETs to do something like this. We have files that are stored on an HTTP server and this is how we post and retrieve them.
Would this work over SharePoint or would SharePoint require special handling? Basically, do I have to use Web Services?
Progress Update 2: This link is helpful... Upload a file to SharePoint through the built-in web services
But I am still looking for more information on this topic... Thanks all...
You'll need to use the sharepoint lists web service for metadata and get/put for uploads. That link looks to be for SharePoint 2001, so hopefully you can use the newer/simpler version.
I recommend building something in .net first to get the web service calls worked out - some of the parameters can be quite tricky to debug, and I wouldn't want to be doing that on a remote vbscript page.
Assuming there is no metadata required and the SharePoint library is being used like a file server you can do most of what you want with PUT/GET, but you will probably need a call to GetListItems to find the urls to download.
There's an example on my blog of a lower level call to that web service - it's javascript, but probably close enough.
http://tqcblog.com/2007/09/24/sharepoint-blog-content-rating-with-javascript-and-web-services
What setting up the .net version gets you is very quick set up of a connection to the server (just add a web service reference in visual studio) so you can get the query and queryoptions strings working to retrieve the items you want. Once that works you just have to put it all together as a string including the soap stuff for use without all the nice tools.
I'm a little unclear on the context of the implementation and the prerequisite of having to use VBScript. Are the files being moved from one server to another server or from a user's desktop to this SP server? or are they being accessed via software like Excel?
The first thing that sprang to my mind (this may sound crazy) was using the Office application to make the connection. Your script would call up Excel (just as an example) and pass it the vba needed to initiate the Open File, and then provide the full path to the file that needs to be retrieved. Then have it do a Save As to the location that needs the file. Do the same thing but in reverse for putting files on the SharePoint server.
The tricky part, obviously, is getting the script to interface with the Office app. I know this can be done with the Windows version of PHP, but I don't want to get into anything specific without knowing your situation.
I seriously wonder if you are going to be able to use VBScript to call the SharePoint web services. I haven't looked at the SharePoint web services for a while so I don't remember exactly how they are defined. I thought the web services were SOAP calls though which makes it trickier than
I'm not sure I tried to use Excel to call some web services with the MSSOAP.SoapClient and it seemed this component was unable to handle any WSDL types beyond the very simple strings. Anything with nested data would not work. Instead, you would need to create a COM object to process the conversion which is a major hassle. If you are able to use XMLHTTP component then it might be possible with VBScript, but I'm not sure if it will work with SharePoint web services.
I'm not sure what you mean, "I don't have direct access to my VBScript web server." Is your web server in VBScript (ASP)? Or did you mean SharePoint server?
You might consider C# Script (cs-script) as a scripted solution that uses .NET. I have had good success with it, although it does need to be installed on the computer that runs the script.
I'm integrating between two companies. According to this book, we should use AD FS to accomplish what I'm looking for.
I still don't actually have this working though so if someone has more information I will change the answer to this question.
http://books.google.com/books?id=-6Dw74If4N0C&pg=PA27&lpg=PA27&dq=sharing+sharepoint+sites+external+adfs&source=bl&ots=ojOlMP13tE&sig=FjsMmOHymCOMGo7il7vjWF_lagQ&hl=en&ei=ytqfStClO5mMtgejsfH0Dw&sa=X&oi=book_result&ct=result&resnum=5#v=onepage&q=&f=false
I never really received a answer to this that worked out but this is no longer an issue for me.
What we ended up doing is scraping the html. In effect, we put together our own ad-hoc web service processor where instead of SOAP, html is used to communicate. Then we execute GETs, POSTs, and etc to work with the web service.
We had done something similar in VBScript in for WebDAV -- we had a class and created a new one to work with SharePoint.

Resources