Overview

ProcessMaker offers the Plugin/Trigger Code Security Scanner feature. This feature allows analyzing source code from custom plugins and triggers in order to help find security flaws in the PHP code. Additionally, ProcessMaker administrators have the ability to create a black list of functions that can be used for arbitrary code execution in the server.

ProcessMaker scans the code of custom plugins and triggers in the following cases:

  • Code scanning when a custom plugin is imported (it does not include ProcessMaker plugins)
  • Code scanning when enabling a custom plugin (when the plugin files are physically located in the plugins directory)
  • Code scanning when importing a process.
  • Code scanning when creating/modifying the code of a trigger.
  • Code scanning when executing a case of a process that has triggers in the steps of its tasks (if the trigger has undesired code, it is not executed).

This feature allows checking the existing code of existing plugins and triggers in ProcessMaker with two new options added to the processmaker and gulliver commands. Additionally, the code is verified in designing time when a trigger is saved inside the designer, when a plugin is imported and/or when a plugin is enabled in ProcessMaker.

Make sure the acquired license includes this feature by going to Admin > Plugins > Enterprise Manager. Go to the second panel and click on the Enterprise Features tab. The codeScanner feature must be listed among the features and it must have the check mark besides it.

Configuration

By default, when ProcessMaker is upgraded or installed, it does not scan the code the new or existing code in plugins and triggers. There are two steps to configure ProcessMaker to work correctly.

Configuring the env.ini File

To enable this feature, it is necessary to add an additional attribute to the env.ini file. To do this, first open this file using your favorite text editor (such as Notepad ++) located at:

<INSTALL-DIRECTORY>/workflow/engine/config/env.ini

Add the following attribute:

enable_blacklist = 1

Creating a Custom Blacklist

The first step when working with this feature is to create the file that will contain the list of functions that should be evaluated in ProcessMaker. To do this, create a new plain file using your favorite text editor such as Notepad ++ and name it blacklist.ini.

Add the PHP functions that will be evaluated by the code scanner. For example, the file could contain the following options:

Check this useful information about exploitable PHP functions.

Now, add this file to the following route in ProcessMaker:

<INSTALL-DIRECTORY>/workflow/engine/config

These are all the steps needed to configure the code scanner in ProcessMaker.

Checking the Code of Plugins and Triggers

There are two levels of code verification with the code scanner of ProcessMaker:

When adding new code

After this feature has been configured, all input code in triggers will be verified inside the code editor in the designer:

Already uploaded plugins are verified after they are Disabled and then Enabled:

This feature also scans the code of plugins at the moment they are imported.

For already added code

This feature adds the following option to the ./gulliver command that checks the code added in custom plugins already uploaded to ProcessMaker.

  • check-plugin-disabled-code This option shows the information of undesired code in plugins. Execute this command as follows: $ ./gulliver check-plugin-disabled-code [enterprise-plugin|custom-plugin|all|]

The following option is added to the ./processmaker command to check the code in existing triggers.

  • check-workspace-disabled-code This option shows information about the workspaces with undesired code in triggers. Execute this command as follows: $ ./processmaker check-workspace-disabled-code