Let the platform do the work

Module Loader Restrictions

Overview

SugarCRM's hosting objective is to maintain the integrity of the standard Sugar functionality when we upgrade a customer instance and limit any negative impact our upgrade has on the customer's modifications. All instances hosted on Sugar's cloud service have package scanner enabled by default. This setting is not configurable and all packages must pass the package scan for installation on Sugar's cloud environment. This includes passing all health checks.

Note: Sugar Sell Essentials customers do not have the ability to upload custom file packages to Sugar using Module Loader.

Access Controls

The Module Loader includes a Module Scanner, which grants system administrators the control they need to determine the precise set of actions that they are willing to offer in their hosting environment. This feature is available in all Sugar products. Anyone who is hosting Sugar products can take advantage of this feature, as well.

Enabling Package Scan

Scanning is disabled in default installations of Sugar and can be enabled through a configuration setting. This setting is added to ./config.php or ./config_override.php, and is not available to Administrator users to modify through the Sugar interface. Please note that this setting can only be managed on an on-site deployment and cannot be disabled for Sugar's cloud environment.

To enable Package Scan and its associated scans, add this setting to ./config_override.php:

  $sugar_config['moduleInstaller']['packageScan'] = true;

There are two categories of access control in the Package Scan:

Enabling File Scan

By enabling Package Scan, File Scan will be performed on all files in the package uploaded through Module Loader. File Scan will be performed when a Sugar administrator attempts to install the package. Please note that these settings can only be managed on an on-site deployment. These settings are not permitted to be modified when hosted on Sugar's cloud service.

File Scan performs three checks:

Please refer to the next three sections which outline the default requirements for the File Scan checks. 

Valid Extension Types

File extensions must be in the approved list of valid extension types. The following extension types are valid by default:

  • css
  • gif
  • hbs
  • htm
  • html
  • jpg
  • js
  • md5
  • pdf
  • php
  • png
  • tpl
  • txt
  • xml

Denylisted Classes

Files must not contain any of the following classes that are considered suspicious by File Scan. 

  • All variable classes (i.e., $class()) are prohibited by default.
  • The following classes are denylisted by default:
    • lua
    • pclzip
    • reflection
    • reflectionclass
    • reflectionexception
    • reflectionextension
    • reflectionfunction
    • reflectionfunctionabstract
    • reflectionmethod
    • reflectionobject
    • reflectionparameter
    • reflectionproperty
    • reflectionzendextension
    • reflector
    • splfileinfo
    • splfileobject
    • ziparchive

Denylisted Function Calls

Files must not contain any of the following function calls that are considered suspicious by File Scan.

  • Variable functions (i.e., $func()) are prohibited by default.
  • Backticks (`) are prohibited by File Scan.
  • The following PHP functions are denylisted by default:
    • addfunction
    • addserver
    • array_diff_uassoc
    • array_diff_ukey
    • array_filter
    • array_intersect_uassoc
    • array_intersect_ukey
    • array_map
    • array_reduce
    • array_udiff
    • array_udiff_assoc
    • array_udiff_uassoc
    • array_uintersect
    • array_uintersect_assoc
    • array_uintersect_uassoc
    • array_walk
    • array_walk_recursive
    • call_user_func
    • call_user_func
    • call_user_func_array
    • call_user_func_array
    • chdir
    • chgrp
    • chmod
    • chroot
    • chwown
    • clearstatcache
    • construct
    • consume
    • consumerhandler
    • copy
    • copy_recursive
    • create_cache_directory
    • create_custom_directory
    • create_function
    • curl_copy_handle
    • curl_exec
    • curl_file_create
    • curl_init
    • curl_multi_add_handle
    • curl_multi_exec
    • curl_multi_getcontent
    • curl_multi_info_read
    • curl_multi_init
    • curl_multi_remove_handle
    • curl_multi_select
    • curl_multi_setopt
    • curl_setopt_array
    • curl_setopt
    • curl_share_init
    • curl_share_setopt
    • curl_share_strerror
    • dir
    • disk_free_space
    • disk_total_space
    • diskfreespace
    • eio_busy
    • eio_chmod
    • eio_chown
    • eio_close
    • eio_custom
    • eio_dup2
    • eio_fallocate
    • eio_fchmod
    • eio_fchown
    • eio_fdatasync
    • eio_fstat
    • eio_fstatvfs
    • eio_fsync
    • eio_ftruncate
    • eio_futime
    • eio_grp
    • eio_link
    • eio_lstat
    • eio_mkdir
    • eio_mknod
    • eio_nop
    • eio_open
    • eio_read
    • eio_readahead
    • eio_readdir
    • eio_readlink
    • eio_realpath
    • eio_rename
    • eio_rmdir
    • eio_sendfile
    • eio_stat
    • eio_statvfs
    • eio_symlink
    • eio_sync
    • eio_sync_file_range
    • eio_syncfs
    • eio_truncate
    • eio_unlink
    • eio_utime
    • eio_write
    • error_log
    • escapeshellarg
    • escapeshellcmd
    • eval
    • exec
    • fclose
    • fdf_enum_values
    • feof
    • fflush
    • fgetc
    • fgetcsv
    • fgets
    • fgetss
    • file
    • file_exists
    • file_get_contents
    • file_put_contents
    • fileatime
    • filectime
    • filegroup
    • fileinode
    • filemtime
    • fileowner
    • fileperms
    • filesize
    • filetype
    • flock
    • fnmatch
    • fopen
    • forward_static_call
    • forward_static_call_array
    • fpassthru
    • fputcsv
    • fputs
    • fread
    • fscanf
    • fseek
    • fstat
    • ftell
    • ftruncate
    • fwrite
    • get
    • getbykey
    • getdelayed
    • getdelayedbykey
    • getfunctionvalue
    • getimagesize
    • glob
    • header_register_callback
    • ibase_set_event_handler
    • ini_set
    • is_callable
    • is_dir
    • is_executable
    • is_file
    • is_link
    • is_readable
    • is_uploaded_file
    • is_writable
    • is_writeable
    • iterator_apply
    • lchgrp
    • lchown
    • ldap_set_rebind_proc
    • libxml_set_external_entity_loader
    • link
    • linkinfo
    • lstat
    • mailparse_msg_extract_part
    • mailparse_msg_extract_part_file
    • mailparse_msg_extract_whole_part_file
    • mk_temp_dir
    • mkdir
    • mkdir_recursive
    • move_uploaded_file
    • newt_entry_set_filter
    • newt_set_suspend_callback
    • ob_start
    • open
    • opendir
    • parse_ini_file
    • parse_ini_string
    • passthru
    • passthru
    • pathinfo
    • pclose
    • pcntl_signal
    • popen
    • preg_replace_callback
    • proc_close
    • proc_get_status
    • proc_nice
    • proc_open
    • readdir
    • readfile
    • readline_callback_handler_install
    • readline_completion_function
    • readlink
    • realpath
    • realpath_cache_get
    • realpath_cache_size
    • register_shutdown_function
    • register_tick_function
    • rename
    • rewind
    • rmdir
    • rmdir_recursive
    • session_set_save_handler
    • set_error_handler
    • set_exception_handler
    • set_file_buffer
    • set_local_infile_handler
    • set_time_limit
    • setclientcallback
    • setcompletecallback
    • setdatacallback
    • setexceptioncallback
    • setfailcallback
    • setserverparams
    • setstatuscallback
    • setwarningcallback
    • setworkloadcallback
    • shell_exec
    • simplexml_load_file
    • simplexml_load_string
    • socket_accept
    • socket_addrinfo_bind
    • socket_addrinfo_connect
    • socket_addrinfo_explain
    • socket_addrinfo_lookup
    • socket_bind
    • socket_clear_error
    • socket_close
    • socket_cmsg_space
    • socket_connect
    • socket_create_listen
    • socket_create_pair
    • socket_create
    • socket_export_stream
    • socket_get_option
    • socket_getopt
    • socket_getpeername
    • socket_getsockname
    • socket_import_stream
    • socket_last_error
    • socket_listen
    • socket_read
    • socket_recv
    • socket_recvfrom
    • socket_recvmsg
    • socket_select
    • socket_send
    • socket_sendmsg
    • socket_sendto
    • socket_set_block
    • socket_set_nonblock
    • socket_set_option
    • socket_setopt
    • socket_shutdown
    • socket_write
    • fsockopen
    • spl_autoload_register
    • sqlite_create_aggregate
    • sqlite_create_function
    • sqlitecreateaggregate
    • sqlitecreatefunction
    • stat
    • stream_bucket_append
    • stream_bucket_make_writeable
    • stream_bucket_new
    • stream_bucket_prepend
    • stream_context_create
    • stream_context_get_default
    • stream_context_get_options
    • stream_context_get_params
    • stream_context_set_default
    • stream_context_set_option
    • stream_context_set_params
    • stream_copy_to_stream
    • stream_filter_append
    • stream_filter_prepend
    • stream_filter_register
    • stream_filter_remove
    • stream_get_contents
    • stream_get_filters
    • stream_get_line
    • stream_get_meta_data
    • stream_get_transports
    • stream_get_wrappers
    • stream_is_local
    • stream_isatty
    • stream_notification_callback
    • stream_register_wrapper
    • stream_resolve_include_path
    • stream_select
    • stream_set_blocking
    • stream_set_chunk_size
    • stream_set_read_buffer
    • stream_set_timeout
    • stream_set_write_buffer
    • stream_socket_accept
    • stream_socket_client
    • stream_socket_enable_crypto
    • stream_socket_get_name
    • stream_socket_pair
    • stream_socket_recvfrom
    • stream_socket_sendto
    • stream_socket_server
    • stream_socket_shutdown
    • stream_supports_lock
    • stream_wrapper_register
    • stream_wrapper_restore
    • stream_wrapper_unregister
    • sugar_chgrp
    • sugar_chmod
    • sugar_chown
    • sugar_file_put_contents
    • sugar_file_put_contents_atomic
    • sugar_fopen
    • sugar_mkdir
    • sugar_rename
    • sugar_touch
    • sybase_set_message_handler
    • symlink
    • system
    • tempnam
    • timestampnoncehandler
    • tmpfile
    • tokenhandler
    • touch
    • uasort
    • uksort
    • umask
    • unlink
    • unzip
    • unzip_file
    • usort
    • write_array_to_file
    • write_array_to_file_as_key_value_pair
    • write_encoded_file
    • xml_set_character_data_handler
    • xml_set_default_handler
    • xml_set_element_handler
    • xml_set_end_namespace_decl_handler
    • xml_set_external_entity_ref_handler
    • xml_set_notation_decl_handler
    • xml_set_processing_instruction_handler
    • xml_set_start_namespace_decl_handler
    • xml_set_unparsed_entity_decl_handler
  • The following class functions are denylisted by default:
    • All variable functions (i.e., $func()) are prohibited by default. 
    • SugarLogger::setLevel
    • SugarAutoLoader::put
    • SugarAutoLoader::unlink

Health Check

Packages must pass all health checks in order to pass through the package scanner. For more information on troubleshooting Health Check output, see the collection of help articles in Troubleshooting Health Check Output.

Disabling File Scan

Note: Disabling File Scan is prohibited for instances on Sugar's cloud service.

To disable File Scan, add the following configuration setting to config_override.php:

  $sugar_config['moduleInstaller']['disableFileScan'] = false;

Extending the List of Valid Extension Types

Note: Modifying the valid extensions list is prohibited for instances on Sugar's cloud service.

To add more file extensions to the approved list of valid extension types, add the file extensions to the validExt array. The example below adds a .log file extension and .htaccess to the valid extension type list in config_override.php:

  $sugar_config['moduleInstaller']['validExt'] = array(
    'log', 
    'htaccess'
);

Denylisting Additional Function Calls

Note: Denylist modifications are prohibited for instances on Sugar's cloud service.

To add additional function calls to the denylist, add the function calls to the blackList array. The example below blocks the strlen() and strtolower() functions from being included in the package:

  $sugar_config['moduleInstaller']['blackList'] = array(
    'strlen', 
    'strtolower'
);

Overriding Denylisted Function Calls

Note: Denylist modifications are prohibited for instances on Sugar's cloud service.

To override the denylist and allow a specific function to be included in packages, add the function call to the blackListExempt array. The example below removes the restriction for the file_put_contents() function, allowing it to be included in the package:

  $sugar_config['moduleInstaller']['blackListExempt'] = array(
    'file_put_contents'
);

Disabling Restricted Copy

To ensure upgrade-safe customizations, System Administrators must restrict the copy action to prevent modifying the existing Sugar source code files. New files may be added anywhere (to allow new modules to be added), but core Sugar source code files must not be overwritten. This is enabled by default when you enable Package Scan.

Note: Disabling Restricted Copy is prohibited for instances on Sugar's cloud service.

To disable Restricted Copy, use this configuration setting:

  $sugar_config['moduleInstaller']['disableRestrictedCopy'] = true;

Module Loader Actions

Module loader actions, defined in ./ModuleInstall/ModuleScanner.php, are identifiers that map to the installation definitions used in the $installdefs of a manifest.

Action $installdef Actions Description
install_administration administration Installs an administration section into the Admin page
install_connectors connectors Installs SugarCloud Connectors
install_copy copy Installs files or directories
install_dashlets dashlets Installs dashlets into the Sugar application
install_images image_dir Install images into the custom directory
install_languages language Installs language files
install_layoutdefs layoutdefs Installs layouts
install_layoutfields layoutfields Installs custom fields
install_logichooks logic_hooks Installs logic hooks
install_relationships relationships Installs relationships
install_userpage user_page Installs a section to the User record page
install_vardefs vardefs Installs vardefs
post_execute post_execute Called after a package is installed
pre_execute pre_execute Called before a package is installed

Disabling Module Loader Actions

Certain Module Loader actions may be considered less desirable than others by a System Administrator. A System Administrator may want to allow some Module Loader actions, but disable specific actions that could impact the upgrade-safe integrity of the Sugar instance.

Note: Disabling Module Loader actions is prohibited for instances on Sugar's cloud service.

By default, all Module Loader actions are allowed. Enabling Package Scan does not affect the Module Loader actions. To disable specific Module Loader actions, add the action to the disableActions array. The example below restricts the pre_execute and post_execute actions:

  $sugar_config['moduleInstaller']['disableActions'] = array(
    'pre_execute', 
    'post_execute'
);

Disabling Upgrade Wizard

If you are hosting Sugar and wish to lock down the upgrade wizard, you can set disable_uw_upload to 'true' in the config_override. This is intended for hosting providers to prevent unwanted upgrades.

  $sugar_config['disable_uw_upload'] = true;