GitHub user stechio created a discussion: log4j-script: what about security?
I'm wondering about the security of the library on topic, considering that it allows loading scripts (such as groovy and javascript) from [both configuration and external files](https://logging.apache.org/log4j/2.x/manual/scripts.html). I have no experience in scripting within log4j, so my questions herein may be incorrect: I look forward to your guidance, thanks! Skimming the documentation and peering at its source code, I couldn't find any reference to security assumptions, concerns, warnings, suggestions, etc.; apparently, the only related code is just the [very code executing the script](https://github.com/apache/logging-log4j2/blob/3871c4cd59ac48f9abca1725bd45087a13ae782c/log4j-script/src/main/java/org/apache/logging/log4j/script/ScriptManagerImpl.java#L229C1-L237C1), which relies on `AccessController.doPrivileged(..)` (sic!)... ```java public Object execute(final String name, final ScriptBindings bindings) { final ScriptRunner scriptRunner = scriptRunners.get(name); if (scriptRunner == null) { logger.warn("No script named {} could be found", name); return null; } return AccessController.doPrivileged((PrivilegedAction<Object>) () -> scriptRunner.execute(bindings)); } ``` ...and calls [this](https://github.com/apache/logging-log4j2/blob/3871c4cd59ac48f9abca1725bd45087a13ae782c/log4j-script/src/main/java/org/apache/logging/log4j/script/ScriptManagerImpl.java#L282C2-L298C1): ```java public Object execute(final ScriptBindings bindings) { if (compiledScript != null) { try { return compiledScript.eval((Bindings) bindings); } catch (final ScriptException ex) { logger.error("Error running script " + script.getName(), ex); return null; } } try { return scriptEngine.eval(script.getScriptText(), (Bindings) bindings); } catch (final ScriptException ex) { logger.error("Error running script " + script.getName(), ex); return null; } } ``` External script files can even be monitored for changes (via `isWatched` attribute): does this mean they can be *hot swapped*, potentially with arbitrary code, during the application execution? Are the implementers of log4j-script relying on the optimistic assumption that users will run only *trusted code* in those script files? Or that the applications will run in *secure environments*, such as virtual machines? Is there any architectural documentation/discussion explaining the rationale behind the design choices of this library and their security assessment? GitHub link: https://github.com/apache/logging-log4j2/discussions/3894 ---- This is an automatically sent email for dev@logging.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@logging.apache.org
