Overview

ProcessMaker offers the Plugin/Trigger Code Security Scanner feature. This feature allows analyzing source code from custom plugins and triggers in order to help find security flaws in the PHP code. Additionally, ProcessMaker administrators have the ability to create a black list of functions that can be used for arbitrary code execution in the server.

ProcessMaker scans the code of custom plugins and triggers in the following cases:

  • Code scanning when a custom plugin is imported (it does not include ProcessMaker Enterprise plugins)
  • Code scanning when enabling a custom plugin (when the plugin files are physically located in the plugins directory)
  • Code scanning when importing a process.
  • Code scanning when creating/modifying the code of a trigger.
  • Code scanning when executing a case of a process that has triggers in the steps of its tasks (if the trigger has undesired code, it is not executed).

This feature allows checking the existing code of existing plugins and triggers in ProcessMaker with two new options added to the processmaker and gulliver commands. Additionally, the code is verified in designing time when a trigger is saved inside the designer, when a plugin is imported and/or when a plugin is enabled in ProcessMaker.

Installation

When the Enterprise Edition is installed with its license, the Plugin/Trigger Code Security Scanner feature becomes available. Go to ADMIN > Plugins > Enterprise Manager > Enterprise Features to verify that the codeScanner feature is installed and enabled.

Configuration

By default, this feature is not configured to scan new or existing code of plugins or triggers when ProcessMaker is installed or upgraded. Therefore, read following section to configure the feature and start the Code Scanner.

Configuring the env.ini File

To enable the Trigger/Code Security Scanner feature, it is necessary to add an additional attribute to the env.ini file. This configuration can be done in the env.ini file that each workspace has, in that way it will take effect only in those workspaces. Or, it can be done in the global env.ini file, for all the ProcessMaker Installation.

Locate the env.ini file:

Global location:

INSTALL-DIRECTORY/processmaker/workflow/engine/config/env.ini

Workspace location:

INSTALL-DIRECTORY/processmaker/shared/sites/WORKSPACE-NAME/env.ini

Open the env.ini file with an editor and add the following line:

enable_blacklist = 1

Creating a Custom Blacklist

The first step when working with this feature is to create the file that will contain the list of functions that should be evaluated in ProcessMaker. To do this, create a new plain file using your favorite text editor such as Notepad ++ and name it blacklist.ini.

Add the PHP functions that will be evaluated by the code scanner. For example, the file could contain the following options:

Check this useful information about exploitable PHP functions.

Now, add this file to the following route in ProcessMaker:

<INSTALL-DIRECTORY>/workflow/engine/config

These are all the steps needed to configure the code scanner in ProcessMaker.

Checking the Code of Plugins and Triggers

There are two levels of code verification with the code scanner of ProcessMaker:

When adding new code

After this feature has been configured, all input code in triggers will be verified inside the code editor in the designer:

Already uploaded plugins are verified after they are Disabled and then Enabled:

This feature also scans the code of plugins at the moment they are imported.

For already added code

  • check-plugin-disabled-code: This feature adds the following option to the ./gulliver command that shows the information of undesired code in plugins already uploaded to ProcessMaker. To execute this command, first go to the: cd <INSTALL-DIRECTORY>/gulliver/bin

    Then, execute the command as follows:

    Linux:
    ./gulliver check-plugin-disabled-code plugin-type

    Windows:
    php.exe -f gulliver check-plugin-disabled-code plugin-type

    Where the plugin-type can be:

    • enterprise-plugin will check all the Enterprise Plugins installed.
    • custom-plugin will check all the Custom Plugins installed.
    • all will check all the plugins.
    • plugin-name will check only the plugin with the name specified.

  • check-workspace-disabled-code: The following option is added to the ./processmaker command to check the code and shows information about the workspaces with undesired code in triggers. To execute this command, first go to the: cd <INSTALL-DIRECTORY>/processmaker Then, execute the command as follows:

    Linux:
    ./processmaker check-workspace-disabled-code workspace-name

    Windows:
    php.exe -f processmaker check-workspace-disabled-code workspace-name