Operations Basics / Version 2304
Table Of ContentsBoth frontend and backend applications are typically deployed with code fragments for customization or may in some cases be written from scratch based on the CoreMedia APIs. Make sure to review source code for security issues.
Validate input data and handle imported data robustly.
Be careful when external data causes the access of local
resources, for example reading files or content objects
or making server-side remote requests.
XML parsing may leak local data through XML external entity (XXE) references.
While the XML API in com.coremedia.xml
has been
hardened as far as possible, the native Java XML parsing
might be more vulnerable.
Java serialization and deserialization must be used with care, because the JVM suspends certain protection mechanism for these operations, allowing both data leaks and code execution.
Note that a Unified API connection
can perform all operations for which its logged-in user is authorized.
A Unified API connection for the
users studio
and workflow
may even incorporate
other users, thereby gaining full access.
This means that extensions of the Workflow Server,
and Studio must be particularly well checked.