This project is read-only.

Security features of user layouts?

Topics: General
Jan 25, 2013 at 8:39 PM

Does Orchard do anything to ensure razor files like Layout.cshtml are safe?

For example, if a user, either intentionally or accidentally uploaded a Layout.cshtml that had code that was detrimental in some way.  Infinite loop, excessive memory usage, attempts to do things like access data outside of the view model like grabbing something from the web config file and displaying it on the page.  With MVC razor views, you can pretty much run any C# code, and taking someone's cshtml file and blindly running it on your server is like letting them execute anything they want.  I'm trying to find a solution that allows users with HTML/CSS knowledge to provide their own Layout.cshtml, but with a level of safety in place.

I'm not trying to criticize Orchard, as even DotNetNuke is the same way in that skins are executable files and you are explicetely adviced to only install skins from a trusted source.  I'm just trying to get an idea of whether that is the case for Orchard, or if there are cleaning/safety mechanisms in place to ensure user provided Layout's are made safe in some way.

The only thing I could find in general was mention of tenant isolation as one security feature.

Thanks :)

Jan 31, 2013 at 9:57 AM
If someone has the rights to upload an arbitrary cshtml site, he owns your site. cshtml is code. There is nothing you can do about it.

Multi-tenancy is not a security feature.
Jan 31, 2013 at 4:14 PM
Thank you for clarifying that Orchard implements standard behavior of CSHTML. I am quite familiar with the capabilities of CSHTML in the context of MVC, but I did not want to make any assumptions about Orchard's handling of cshtml before getting clarification.

Do you mean tenant isolation it is not a security feature in Orchard? Or are you stating tenant isolation is not a security feature in general? What is the meaning of "tenant isolation" in your documentation? In other multi-tenant CMS systems, I would interpret the term "isolation" to refer to jailing to ensure one tenant's site cannot be manipulated by another's, to ensure that the security of one tenant's site cannot be compromised by another. If one tenant can upload a CSHTML file then they can easily do just about anything with a @{} code block. That code block could traverse the fielsystem, and theoretically modify another tenant's files, either intentionally/accidentally, and have severe consequences. Arbitrary execution of code in outside of the intended context is always a security issue. It allows a wide variety attacks. This is exactly why buffer overflow and sql injection attacks are so serious, because they allow someone to run arbitrary code in the context of the server application that has been compromised.
Feb 10, 2013 at 9:51 PM
I mean that tenant isolation is not a security feature in Orchard, yes. Tenant isolation means that the data for each tenant is separated in such a way that the data from tenant 1 is not going to show on tenant 2. In general one tenant can't modify another tenant's data, but as they are stored in the same database we can't guarantee that absolutely: a rogue module has access to all of the tables in the database, and so could modify data on another tenant. If you want to protect your sites against such things, the application cannot do much, and instead you'll have to set-up isolation at the database level, by modifying the permissions on each table, and using a different user to connect to the DB for each tenant. The secure isolation is then provided by SQL Server, not by the application. But even that is still not hack-proof as a module could still read the other tenant configuration and gain access to the database tables for the other tenant.

For all these reasons, we don't advertise multi-tenancy as a security feature, but rather as a way to host more than one site in one instance. It's a feature that is intended to save resources, definitely not to provide security. There is no way to ensure secure isolation if the sites run in the same application.

If you need secure isolation of sites, you should NOT use multi-tenancy. You should have one Orchard instance per site. This is (and going to remain) the only way to guarantee secure isolation of the sites.