erlview sandboxing via parse transform
--------------------------------------
Key: COUCHDB-622
URL: https://issues.apache.org/jira/browse/COUCHDB-622
Project: CouchDB
Issue Type: Improvement
Reporter: Brian Candler
Priority: Minor
I'm just adding this ticket so I don't forget about it.
It's possible to improve the safety of the native erlang view server, just by
doing a simple walk of the parsed abstract form. I think all we need to do is
forbid calls to functions in all external modules m:f(), except for whitelisted
modules (e.g. io_lib, lists) or specific functions. We also need a whitelist of
BIFs.
Some care may be needed for imported functions - check if they are already
expanded to m:f() in the abstract form, or remain as f().
My main concern is preventing things like os:cmd(). There are also many
possible DoS attacks, like atom exhaustion or spawning infinite numbers of
processes. However, most view definitions aren't going to need spawn() or
list_to_atom(). A configurable whitelist could be very tight by default, but
still allow admins to allow any specific functions they need.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
