Module Loader Restrictions
Overview
SugarCRM's hosting objective is to maintain the integrity of the standard Sugar functionality when we upgrade a customer instance and limit any negative impact our upgrade has on the customer's modifications. All instances hosted on Sugar's cloud service have package scanner enabled by default. This setting is not configurable and all packages must pass the package scan for installation on Sugar's cloud environment. This includes passing all health checks.
Note: Sugar Sell Essentials customers do not have the ability to upload custom file packages to Sugar using Module Loader.
Access Controls
The Module Loader includes a Module Scanner, which grants system administrators the control they need to determine the precise set of actions that they are willing to offer in their hosting environment. This feature is available in all Sugar products. Anyone who is hosting Sugar products can take advantage of this feature, as well.
Enabling Package Scan
Scanning is disabled in default installations of Sugar and can be enabled through a configuration setting. This setting is added to ./config.php or ./config_override.php, and is not available to Administrator users to modify through the Sugar interface. Please note that this setting can only be managed on an on-site deployment and cannot be disabled for Sugar's cloud environment.
To enable Package Scan and its associated scans, add this setting to ./config_override.php:
$sugar_config['moduleInstaller']['packageScan'] = true;
There are two categories of access control in the Package Scan:
Enabling File Scan
By enabling Package Scan, File Scan will be performed on all files in the package uploaded through Module Loader. File Scan will be performed when a Sugar administrator attempts to install the package. Please note that these settings can only be managed on an on-site deployment. These settings are not permitted to be modified when hosted on Sugar's cloud service.
File Scan performs three checks:
- File extensions must be in the approved list of valid extension types.
- Files must not contain any suspicious classes.
- Files must not contain any suspicious function calls.
Please refer to the next three sections which outline the default requirements for the File Scan checks.
Valid Extension Types
File extensions must be in the approved list of valid extension types. The following extension types are valid by default:
- css
- gif
- hbs
- htm
- html
- jpg
- js
- md5
- php
- png
- tpl
- txt
- xml
Denylisted Classes
Files must not contain any of the following classes that are considered suspicious by File Scan.
- All variable classes (i.e.,
$class()) are prohibited by default. - The following classes are denylisted by default:
- lua
- pclzip
- reflection
- reflectionclass
- reflectionexception
- reflectionextension
- reflectionfunction
- reflectionfunctionabstract
- reflectionmethod
- reflectionobject
- reflectionparameter
- reflectionproperty
- reflectionzendextension
- reflector
- splfileinfo
- splfileobject
- ziparchive
Denylisted Function Calls
Files must not contain any of the following function calls that are considered suspicious by File Scan.
- Variable functions (i.e.,
$func()) are prohibited by default. - Backticks (
`) are prohibited by File Scan. - The following PHP functions are denylisted by default:
- addfunction
- addserver
- array_diff_uassoc
- array_diff_ukey
- array_filter
- array_intersect_uassoc
- array_intersect_ukey
- array_map
- array_reduce
- array_udiff
- array_udiff_assoc
- array_udiff_uassoc
- array_uintersect
- array_uintersect_assoc
- array_uintersect_uassoc
- array_walk
- array_walk_recursive
- call_user_func
- call_user_func
- call_user_func_array
- call_user_func_array
- chdir
- chgrp
- chmod
- chroot
- chwown
- clearstatcache
- construct
- consume
- consumerhandler
- copy
- copy_recursive
- create_cache_directory
- create_custom_directory
- create_function
- curl_copy_handle
- curl_exec
- curl_file_create
- curl_init
- curl_multi_add_handle
- curl_multi_exec
- curl_multi_getcontent
- curl_multi_info_read
- curl_multi_init
- curl_multi_remove_handle
- curl_multi_select
- curl_multi_setopt
- curl_setopt_array
- curl_setopt
- curl_share_init
- curl_share_setopt
- curl_share_strerror
- dir
- disk_free_space
- disk_total_space
- diskfreespace
- eio_busy
- eio_chmod
- eio_chown
- eio_close
- eio_custom
- eio_dup2
- eio_fallocate
- eio_fchmod
- eio_fchown
- eio_fdatasync
- eio_fstat
- eio_fstatvfs
- eio_fsync
- eio_ftruncate
- eio_futime
- eio_grp
- eio_link
- eio_lstat
- eio_mkdir
- eio_mknod
- eio_nop
- eio_open
- eio_read
- eio_readahead
- eio_readdir
- eio_readlink
- eio_realpath
- eio_rename
- eio_rmdir
- eio_sendfile
- eio_stat
- eio_statvfs
- eio_symlink
- eio_sync
- eio_sync_file_range
- eio_syncfs
- eio_truncate
- eio_unlink
- eio_utime
- eio_write
- error_log
- escapeshellarg
- escapeshellcmd
- eval
- exec
- fclose
- fdf_enum_values
- feof
- fflush
- fgetc
- fgetcsv
- fgets
- fgetss
- file
- file_exists
- file_get_contents
- file_put_contents
- fileatime
- filectime
- filegroup
- fileinode
- filemtime
- fileowner
- fileperms
- filesize
- filetype
- flock
- fnmatch
- fopen
- forward_static_call
- forward_static_call_array
- fpassthru
- fputcsv
- fputs
- fread
- fscanf
- fseek
- fstat
- ftell
- ftruncate
- fwrite
- get
- getbykey
- getdelayed
- getdelayedbykey
- getfunctionvalue
- getimagesize
- glob
- header_register_callback
- ibase_set_event_handler
- ini_set
- is_callable
- is_dir
- is_executable
- is_file
- is_link
- is_readable
- is_uploaded_file
- is_writable
- is_writeable
- iterator_apply
- lchgrp
- lchown
- ldap_set_rebind_proc
- libxml_set_external_entity_loader
- link
- linkinfo
- lstat
- mailparse_msg_extract_part
- mailparse_msg_extract_part_file
- mailparse_msg_extract_whole_part_file
- mk_temp_dir
- mkdir
- mkdir_recursive
- move_uploaded_file
- newt_entry_set_filter
- newt_set_suspend_callback
- ob_start
- open
- opendir
- parse_ini_file
- parse_ini_string
- passthru
- passthru
- pathinfo
- pclose
- pcntl_signal
- popen
- preg_replace_callback
- proc_close
- proc_get_status
- proc_nice
- proc_open
- readdir
- readfile
- readline_callback_handler_install
- readline_completion_function
- readlink
- realpath
- realpath_cache_get
- realpath_cache_size
- register_shutdown_function
- register_tick_function
- rename
- rewind
- rmdir
- rmdir_recursive
- session_set_save_handler
- set_error_handler
- set_exception_handler
- set_file_buffer
- set_local_infile_handler
- set_time_limit
- setclientcallback
- setcompletecallback
- setdatacallback
- setexceptioncallback
- setfailcallback
- setserverparams
- setstatuscallback
- setwarningcallback
- setworkloadcallback
- shell_exec
- simplexml_load_file
- simplexml_load_string
- socket_accept
- socket_addrinfo_bind
- socket_addrinfo_connect
- socket_addrinfo_explain
- socket_addrinfo_lookup
- socket_bind
- socket_clear_error
- socket_close
- socket_cmsg_space
- socket_connect
- socket_create_listen
- socket_create_pair
- socket_create
- socket_export_stream
- socket_get_option
- socket_getopt
- socket_getpeername
- socket_getsockname
- socket_import_stream
- socket_last_error
- socket_listen
- socket_read
- socket_recv
- socket_recvfrom
- socket_recvmsg
- socket_select
- socket_send
- socket_sendmsg
- socket_sendto
- socket_set_block
- socket_set_nonblock
- socket_set_option
- socket_setopt
- socket_shutdown
- socket_write
- fsockopen
- spl_autoload_register
- sqlite_create_aggregate
- sqlite_create_function
- sqlitecreateaggregate
- sqlitecreatefunction
- stat
- stream_bucket_append
- stream_bucket_make_writeable
- stream_bucket_new
- stream_bucket_prepend
- stream_context_create
- stream_context_get_default
- stream_context_get_options
- stream_context_get_params
- stream_context_set_default
- stream_context_set_option
- stream_context_set_params
- stream_copy_to_stream
- stream_filter_append
- stream_filter_prepend
- stream_filter_register
- stream_filter_remove
- stream_get_contents
- stream_get_filters
- stream_get_line
- stream_get_meta_data
- stream_get_transports
- stream_get_wrappers
- stream_is_local
- stream_isatty
- stream_notification_callback
- stream_register_wrapper
- stream_resolve_include_path
- stream_select
- stream_set_blocking
- stream_set_chunk_size
- stream_set_read_buffer
- stream_set_timeout
- stream_set_write_buffer
- stream_socket_accept
- stream_socket_client
- stream_socket_enable_crypto
- stream_socket_get_name
- stream_socket_pair
- stream_socket_recvfrom
- stream_socket_sendto
- stream_socket_server
- stream_socket_shutdown
- stream_supports_lock
- stream_wrapper_register
- stream_wrapper_restore
- stream_wrapper_unregister
- sugar_chgrp
- sugar_chmod
- sugar_chown
- sugar_file_put_contents
- sugar_file_put_contents_atomic
- sugar_fopen
- sugar_mkdir
- sugar_rename
- sugar_touch
- sybase_set_message_handler
- symlink
- system
- tempnam
- timestampnoncehandler
- tmpfile
- tokenhandler
- touch
- uasort
- uksort
- umask
- unlink
- unzip
- unzip_file
- usort
- write_array_to_file
- write_array_to_file_as_key_value_pair
- write_encoded_file
- xml_set_character_data_handler
- xml_set_default_handler
- xml_set_element_handler
- xml_set_end_namespace_decl_handler
- xml_set_external_entity_ref_handler
- xml_set_notation_decl_handler
- xml_set_processing_instruction_handler
- xml_set_start_namespace_decl_handler
- xml_set_unparsed_entity_decl_handler
- The following class functions are denylisted by default:
- All variable functions (i.e.,
$func()) are prohibited by default. - SugarLogger::setLevel
- SugarAutoLoader::put
- SugarAutoLoader::unlink
- All variable functions (i.e.,
Health Check
Packages must pass all health checks in order to pass through the package scanner. For more information on troubleshooting Health Check output, see the collection of help articles in Troubleshooting Health Check Output.
Disabling File Scan
Note: Disabling File Scan is prohibited for instances on Sugar's cloud service.
To disable File Scan, add the following configuration setting to config_override.php:
$sugar_config['moduleInstaller']['disableFileScan'] = false;
Extending the List of Valid Extension Types
Note: Modifying the valid extensions list is prohibited for instances on Sugar's cloud service.
To add more file extensions to the approved list of valid extension types, add the file extensions to the validExt array. The example below adds a .log file extension and .htaccess to the valid extension type list in config_override.php:
$sugar_config['moduleInstaller']['validExt'] = array(
'log',
'htaccess'
);
Denylisting Additional Function Calls
Note: Denylist modifications are prohibited for instances on Sugar's cloud service.
To add additional function calls to the denylist, add the function calls to the blackList array. The example below blocks the strlen() and strtolower() functions from being included in the package:
$sugar_config['moduleInstaller']['blackList'] = array(
'strlen',
'strtolower'
);
Overriding Denylisted Function Calls
Note: Denylist modifications are prohibited for instances on Sugar's cloud service.
To override the denylist and allow a specific function to be included in packages, add the function call to the blackListExempt array. The example below removes the restriction for the file_put_contents() function, allowing it to be included in the package:
$sugar_config['moduleInstaller']['blackListExempt'] = array(
'file_put_contents'
);
Disabling Restricted Copy
To ensure upgrade-safe customizations, System Administrators must restrict the copy action to prevent modifying the existing Sugar source code files. New files may be added anywhere (to allow new modules to be added), but core Sugar source code files must not be overwritten. This is enabled by default when you enable Package Scan.
Note: Disabling Restricted Copy is prohibited for instances on Sugar's cloud service.
To disable Restricted Copy, use this configuration setting:
$sugar_config['moduleInstaller']['disableRestrictedCopy'] = true;
Module Loader Actions
Module loader actions, defined in ./ModuleInstall/ModuleScanner.php, are identifiers that map to the installation definitions used in the $installdefs of a manifest.
| Action | $installdef Actions | Description |
| install_administration | administration | Installs an administration section into the Admin page |
| install_connectors | connectors | Installs SugarCloud Connectors |
| install_copy | copy | Installs files or directories |
| install_dashlets | dashlets | Installs dashlets into the Sugar application |
| install_images | image_dir | Install images into the custom directory |
| install_languages | language | Installs language files |
| install_layoutdefs | layoutdefs | Installs layouts |
| install_layoutfields | layoutfields | Installs custom fields |
| install_logichooks | logic_hooks | Installs logic hooks |
| install_relationships | relationships | Installs relationships |
| install_userpage | user_page | Installs a section to the User record page |
| install_vardefs | vardefs | Installs vardefs |
| post_execute | post_execute | Called after a package is installed |
| pre_execute | pre_execute | Called before a package is installed |
Disabling Module Loader Actions
Certain Module Loader actions may be considered less desirable than others by a System Administrator. A System Administrator may want to allow some Module Loader actions, but disable specific actions that could impact the upgrade-safe integrity of the Sugar instance.
Note: Disabling Module Loader actions is prohibited for instances on Sugar's cloud service.
By default, all Module Loader actions are allowed. Enabling Package Scan does not affect the Module Loader actions. To disable specific Module Loader actions, add the action to the disableActions array. The example below restricts the pre_execute and post_execute actions:
$sugar_config['moduleInstaller']['disableActions'] = array(
'pre_execute',
'post_execute'
);
Disabling Upgrade Wizard
If you are hosting Sugar and wish to lock down the upgrade wizard, you can set disable_uw_upload to 'true' in the config_override. This is intended for hosting providers to prevent unwanted upgrades.
$sugar_config['disable_uw_upload'] = true;