[jira] [Commented] (JEXL-381) Change default JEXL configuration to a more security-friendly behaviour

Sat, 05 Nov 2022 02:47:03 -0700 


    [ 
https://issues.apache.org/jira/browse/JEXL-381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17629303#comment-17629303
 ] 

Dmitri Blinov commented on JEXL-381:
------------------------------------

Now that I've reviewed the code, I think one of the things that should be added 
from security point is permission checks to classloads via pragma namespace 
declarations. Though there is no way to call methods from classes outside 
permissions scope, there might be undesirable side effects from class loading 
itself - static code initialization, native library code loading etc. Maybe 
there should be an option to disable namespace declarations via pragmas at all 
for those who want to absolutely limit what may be accessed from inside the box.

> Change default JEXL configuration to a more security-friendly behaviour 
> ------------------------------------------------------------------------
>
>                 Key: JEXL-381
>                 URL: https://issues.apache.org/jira/browse/JEXL-381
>             Project: Commons JEXL
>          Issue Type: Improvement
>    Affects Versions: 3.2.1
>            Reporter: Henri Biestro
>            Assignee: Henri Biestro
>            Priority: Major
>             Fix For: 3.3
>
>
> WHAT:
> JEXL's default builder allows accessing and calling any public method, field 
> or constructor of any public class. This might not be desirable since a quick 
> exploration of JEXL will quickly conclude the library allows arbitrary 
> execution through commands (ProcessBuilder) or getting to the file-system 
> through URL or File. This improvement goal is to change JEXL's permeability 
> as an explicit option and user decision, not a default behaviour.
> HOW:
> By changing the current JexlBuilder to use a restricted set of permissions 
> whilst instantiating the Uberspect, we can ensure a minimal useful set of 
> classes can be accessed and only those by default. By removing access to 
> almost all classes that interact with the JVM host and file-system, we ensure 
> a default isolation that would significantly reduce the ability to use JEXL 
> as an attack vector.
> CAVEAT:
> This change will likely break many scripts that were dependant upon the 
> default permeability.
> [~ggregory], [~dmitri_blinov] your opinions are welcome :-)
> https://lists.apache.org/thread/kgh0kfkcvllp5mj7kwnpdqrbrfcyyopd



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to