Administer > System Configuration Parameters > Security parameters > Startup parameters: JavaScript access

Startup parameters: JavaScript access

Startup parameters change the behavior of the server.

Parameter

jsaccessfilereadregex

jsaccessfilewriteregex

jsaccesscmdregex

Description

These parameters specify access restrictions from JavaScript code for file access and command execution. This is required for security reasons so that users with Process Designer tailoring rights are not able to use the available Service Manager JavaScript APIs to directly access the underlying host file system and command line in an unauthorized way. These restrictions are described below:

  • System administrator (sysadmin) users are allowed unrestricted access to the file system and command line
  • Non-sysadmin users are allowed unrestricted access as well by default (none of these configuration parameters is present); if any of these parameters is present, access is restricted as follows:
    • jsaccessfilereadregex:<regex>: Files read using the readFile() and uncompressFile() (compressed file only) JavaScript functions must have an absolute path name that matches the regular expression <regex>.

    • jsaccessfilewriteregex:<regex>: Files written using the writeFile(), deleteFile(), makeDir(), uncompressFile() (output dir only), and writeAttachmentToFile() JavaScript functions must have an absolute path name that matches the regular expression <regex>.

    • jsaccesscmdregex:<regex>: Operating system commands executed by using the sysExec() JavaScript function (including parameters) must match the regular expression <regex>.

Regular expressions must use proper syntax for Java-style regex (similar to Perl-style) (for example, '.' means any character and backslashes need to be doubled). File path names in jsaccessfilereadregex and jsaccessfilewriteregex must be absolute and use proper delimiters ('/' for UNIX, and '\' for Windows). They are case-sensitive for UNIX and case-insensitive for Windows.

File path names used as parameters to JavaScript functions can still be any legal OS-specific file path names. Absolute and relative path names are allowed as well as the usage of '.' and '..'. On Windows, delimiters can be either '/' or '\', while UNIX only allows '/'. However, path names from JavaScript commands are normalized first (relative paths are made absolute, the '.' and '..' are eliminated, and on Windows '/'s are transformed into '\'s) before they are pattern matched against their corresponding regular expression.

Command line strings in the sysExec() JavaScript function are taken as is and compared to the jsaccesscmdregex regular expression. The following table lists the strings that are not allowed in the command line run by sysExec(). If administrators need to use any of these strings in the command line, they can put the real command line in a .sh or .bat file, and then run the .sh/.bat file in sysExec() instead. When any JavaScript attempts to run unauthorized commands or use these forbidden strings in the command line run by sysExec(), audit warning messages will be logged in the server log (sm.log). The messages include the commands to be run, and the user’s login name.

Forbidden string in command line Comment
|| Logical OR in shell.
| The Pipe symbol.
; Shell statement ending; the shell interpreter will run the command that follows.
``

A pair of backquotes. The shell interpreter will run the command between `` first, and then insert its STDOUT output to the command line of the outside command.

&& Logical AND in shell
& Run in the background; the shell interpreter will run the command that follows.
>> File appending; it will write to file.
> File redirection; it will write to file.

Valid if set from

Server's operating system command promt

Initialization file (sm.ini)

Requires restart of server?

Yes

Default value

None (Unrestricted file access and command execution)

Possible values

Regular expressions

Example usage

  • jsaccessfilereadregex:C:\\Users\\joe\\Documents\\.+|C:\\SM-Install\\server-dist\\RUN\\(\w)+\.js

    Read access is limited to any files under the C:\Users\joe\Documents directory and only for .js files under the C:\SM-Install\server-dist\RUN directory.

  • jsaccessfilewriteregex:^$

    Only matches the empty string. This is used to deny all write access to the file system.

  • jsaccesscmdregex:dir .*|copy "C:\\Users\\spinu\\Documents\\SM\\Special Dir\\from\\(\w)+" "C:\\Users\\spinu\\Documents\\SM\\Special Dir\\to\\(\w)+"

    Command execution is limited to the "dir" command with any parameters or the "copy" command, but only from a file in the C:\Users\spinu\Documents\SM\Special Dir\from directory to a file in the C:\Users\spinu\Documents\SM\Special Dir\ directory.