CME-1309

Script Engine Restriction (Sandbox / Disable)

Harden Application High Confidence

Description

Restricts or disables application-embedded scripting and expression language engines to prevent arbitrary code execution. Covers three postures: (1) disable unnecessary script consoles and evaluation endpoints entirely (e.g., Jenkins Script Console, debug REPLs), (2) enforce a language-level sandbox that blocks dangerous operations such as file I/O, process execution, classloading, and reflection while permitting safe computation (e.g., Jenkins Groovy Sandbox, Java SecurityManager for scripting), and (3) restrict expression language evaluation to a safe subset by disabling type resolution, method invocation, and class instantiation in EL/template contexts. Applies to Groovy, OGNL, SpEL, MVEL, Jinja2, EL 3.0, Freemarker, and similar engines embedded in Java EE, CI/CD platforms, and web frameworks.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Direct code execution via the scripting engine is blocked; exploitation requires discovering a sandbox bypass or an unrestricted evaluation path, which demands vulnerability-specific research rather than trivial payload submission
Integrity (I) H L Sandboxed script engine cannot invoke arbitrary system commands, modify files, or alter application state outside the permitted API surface; integrity impact is confined to the script's authorized scope
Confidentiality (C) H L Script engine cannot read arbitrary files, access credentials, or exfiltrate data from the host; information disclosure is limited to data the script is explicitly permitted to access

CWE Relationships

CWE-94 CWE-95 CWE-96 CWE-917

Verification

Verify script consoles are disabled or sandboxed, and expression language evaluation is restricted

$ curl -s -o /dev/null -w '%{http_code}' -X POST http://localhost:8080/jenkins/script --data 'script=println(1)'
# Expected: 403 or 404 (Script Console disabled or access-restricted to administrators only)
Platform: any
$ grep -rn 'GroovySandbox\|SecureGroovyScript\|sandbox(true)' <app_source>/
# Expected: Groovy sandbox enforcement present in pipeline/script execution paths
Platform: any
$ grep -rn 'SimpleEvaluationContext\|StandardEvaluationContext' <app_source>/ | grep -c SimpleEvaluationContext
# Expected: SimpleEvaluationContext used instead of StandardEvaluationContext for user-controlled SpEL
Platform: any
← CME-1308: Origin and CORS Validation Enforcement CME-1310: File Upload Validation (Content Inspection and Extension Allowlist) →