Henri Biestro created JEXL-381:
----------------------------------
Summary: Change default JEXL configuration to a more
security-friendly behaviour
Key: JEXL-381
URL: https://issues.apache.org/jira/browse/JEXL-381
Project: Commons JEXL
Issue Type: Improvement
Affects Versions: 3.2.1
Reporter: Henri Biestro
Assignee: Henri Biestro
Fix For: 3.3
WHAT:
JEXL's default builder allows accessing and calling any public method, field or
constructor of any public class. This might not be desirable since a quick
exploration of JEXL will quickly conclude the library allows arbitrary
execution through commands (ProcessBuilder) or getting to the file-system
through URL or File. This improvement goal is to change JEXL's permeability as
an explicit option and user decision, not a default behaviour.
HOW:
By changing the current JexlBuilder to use a restricted set of permissions
whilst instantiating the Uberspect, we can ensure a minimal useful set of
classes can be accessed and only those by default. By removing access to almost
all classes that interact with the JVM host and file-system, we ensure a
default isolation that would significantly reduce the ability to use JEXL as an
attack vector.
CAVEAT:
This change will likely break many scripts that were dependant upon the default
permeability.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
