[
https://issues.apache.org/jira/browse/TINKERPOP-2835?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17645411#comment-17645411
]
Stephen Mallette commented on TINKERPOP-2835:
---------------------------------------------
I'm sorry, but something still isn't connecting for me. So, i assume that for
the sake of brevity you didn't include configuration of a sandbox for the
{{GremlinGroovyScriptEngine}}. If you did have the sandbox configured, then why
would the {{engine.eval()}} line succeed to allow the {{Translator}} to run?
fwiw, if you want better security for evaluating Gremlin you should probably
leave groovy evaluation behind and go with the {{GremlinLangScriptEngine}}
which uses an ANTLR grammar to parse the Gremlin script. No JVM access is
possible at all that way.
> Query translation ignores sandbox limitations
> ---------------------------------------------
>
> Key: TINKERPOP-2835
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2835
> Project: TinkerPop
> Issue Type: Bug
> Components: groovy
> Affects Versions: 3.5.4
> Reporter: Dan Snoddy
> Priority: Critical
>
> When I run a query such as g.V().has('NAME',System.getenv()) our sandbox
> configuration blocks the execution of System.getenv(), however if the request
> is passed to one of the translators (e.g. GroovyTranslator), the query is
> executed (and could be used to reboot a machine, kill the Java VM, run OS
> level commands, etc):
> `g.V().has("NAME",[("PATH"):
> ("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin .....`
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
