[
https://issues.apache.org/jira/browse/TINKERPOP-2835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645302#comment-17645302
]
Dan Snoddy commented on TINKERPOP-2835:
---------------------------------------
GremlinGroovyScriptEngine engine = new GremlinGroovyScriptEngine();
Graph graph = EmptyGraph.instance();
GraphTraversalSource g = graph.traversal();
Bindings bindings = engine.createBindings();
bindings.put("g", g);
DefaultGraphTraversal graphTraversal = (DefaultGraphTraversal)
engine.eval(query, bindings);
String script =
JavascriptTranslator.of("g").translate(graphTraversal).getScript();
^^^ something like this should reproduce it. Perhaps this isn't "critical" but
it was concerning because someone can get to System.getRuntime().
To "block" it on our side, I've appended an explain() onto the query and
executed it – to trap the error and prevent it from going into translate.
> Query translation ignores sandbox limitations
> ---------------------------------------------
>
> Key: TINKERPOP-2835
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2835
> Project: TinkerPop
> Issue Type: Bug
> Components: groovy
> Affects Versions: 3.5.4
> Reporter: Dan Snoddy
> Priority: Critical
>
> When I run a query such as g.V().has('NAME',System.getenv()) our sandbox
> configuration blocks the execution of System.getenv(), however if the request
> is passed to one of the translators (e.g. GroovyTranslator), the query is
> executed (and could be used to reboot a machine, kill the Java VM, run OS
> level commands, etc):
> `g.V().has("NAME",[("PATH"):
> ("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin .....`
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
