Disable safe mode (DisableSafeMode)¶
| Type | Scope | Severity | Activated by default |
Minutes to fix |
Tags |
|---|---|---|---|---|---|
Vulnerability |
BSL |
Major |
Yes |
15 |
suspicious |
Description¶
In addition to configuration code, the application solution can execute third-party program code, which can be connected in various ways (external reports and data processing, extensions, external components, etc.). The developer cannot guarantee the reliability of this code. An attacker can include various destructive actions in it that can harm user computers, servers, and data in the program.
The listed security problems are especially critical when operating configurations in the service model, because Having gained access to the service, malicious code can immediately gain access to all applications of all users of the service.
It is important to control the execution of such external code in safe mode, in exceptional cases (after verification) allowing code to be executed in unsafe mode.
The rule diagnoses calls to the methods SetSafeMode and SetDisableSafeMode in the mode of disabling safe mode control
- Method call SetDisableSafeMode(true) is ignored
- Method call SetDisableSafeMode(false) is ignored
Examples¶
SetSafeMode (False); // is error
Value = False;
SetSafeMode(Value); // is error
SetSafeMode (True); // no error
SetDisableSafeMode(True); // is error
Value = True;
SetDisableSafeMode(Value); // is error
SetDisableSafeMode(False); // no error
Sources¶
- Developer's Guide 8.3.22: Safe operation (RU)
- Standard: Restriction on the execution of "external" code (RU)
- Standard: Server API Security (RU)
- Standard: Restrictions on the use of Execute and Eval on the server (RU)
- Standard: Using Privileged Mode (RU)
Snippets¶
Diagnostic ignorance in code¶
// BSLLS:DisableSafeMode-off
// BSLLS:DisableSafeMode-on
Parameter for config¶
"DisableSafeMode": false