Security



  • I see that there are options in the API to pass in custom scripts. However, I don't want to expose this capability because I don't want the user to be able to run arbitrary scripts on my backend. Is there a way to turn this function off?

    In fact, there are quite a few fields and values here that I would like to stop the user from passing in entirely. Ideally, they would just pass data, params and the template name and that's it. There's also something called OData API that I'm afraid could be a security risk as well.

    In general, I'm having a hard time figuring out what the exposed surface is in jsreport. Like, I can see that it exposes a Web Interface for working with reports and such, and then there's the Report API, which looks like it has a lot of holes where the user could run code and then there's OData API which I have no idea what it does for me beyond presenting a possible security risk.

    Is there a good breakdown of how to enforce security and permissions within the various APIs jsreport exposes? All these APIs and hidden functions are making me nervous.


  • administrators

    hi! jsreport is a dev tool, so it is not practical to put a lot of efforts into disabling every feature just for security reasons, instead the security is handled in your application. you should treat jsreport just like some other dev technology like docker. so in other words you should not expose full features of such dev tool to end users, instead you create a proxy in front (your own app) with just some basic and safe options to send. for example all users of your app should use your app directly to generate reports not jsreport directly, so you can control how many features of jsreport your end users can use in the end, with that in mind is very easy to control that your users should not be able to send scripts, that control should exists in your app depending on how much permissive you want to be.

    about the http api/OData api is easy too, just make jsreport a local service, not exposed to the public, so you should not be able to connect to it using some public ip, if you need communication between your app and jsreport just use a VPN or a point to a local ip and port in case jsreport in hosted in the same server.

    as you can see the security topics are just the same that you would do with any other dev tool that you want to expose to end users.


Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.