Area
login/ui
Describe the bug
The default FreeMarker configuration allows the ?new() built-in to
instantiate arbitrary Java classes, including
freemarker.template.utility.Execute, which runs shell commands.
This was reported to the Keycloak security team by Kelvin Mbogo. This was later classified as a hardening issue, and not a CVE. Due to that, it is handled publicly.
Changing Freemarker template file is something only trusted users should be allowed to do, similar to changing any other file (like JavaScript sources or adding extensions).
Version
26.2.0 and later
Expected behavior
The functionality to instantiate new instances is not used by Keycloak's original templates, and therefore it should be disabled.
Actual behavior
It is enabled.
How to Reproduce?
See internal issue.
Anything else?
Suggested fix: One line added to DefaultFreeMarkerProvider.java after the Configuration is
constructed:
configuration.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER);
This tells FreeMarker to reject all ?new() calls in templates, which is the
right default for a server-side template engine processing potentially
untrusted theme content.
Alternatively, SAFER_RESOLVER could be used if any legitimate theme needs
to instantiate specific approved classes, but ALLOWS_NOTHING_RESOLVER is
the safer default.
The documentation should be updated to clarify that Freemarker templates should only be changed by trusted users.
This issue was originally tracked in the private repository. Migrated by @ahus1.
Area
login/ui
Describe the bug
The default FreeMarker configuration allows the
?new()built-in toinstantiate arbitrary Java classes, including
freemarker.template.utility.Execute, which runs shell commands.This was reported to the Keycloak security team by Kelvin Mbogo. This was later classified as a hardening issue, and not a CVE. Due to that, it is handled publicly.
Changing Freemarker template file is something only trusted users should be allowed to do, similar to changing any other file (like JavaScript sources or adding extensions).
Version
26.2.0 and later
Expected behavior
The functionality to instantiate new instances is not used by Keycloak's original templates, and therefore it should be disabled.
Actual behavior
It is enabled.
How to Reproduce?
See internal issue.
Anything else?
Suggested fix: One line added to DefaultFreeMarkerProvider.java after the Configuration is
constructed:
configuration.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER);
This tells FreeMarker to reject all ?new() calls in templates, which is the
right default for a server-side template engine processing potentially
untrusted theme content.
Alternatively, SAFER_RESOLVER could be used if any legitimate theme needs
to instantiate specific approved classes, but ALLOWS_NOTHING_RESOLVER is
the safer default.
The documentation should be updated to clarify that Freemarker templates should only be changed by trusted users.
This issue was originally tracked in the private repository. Migrated by @ahus1.