[jira] [Commented] (JEXL-381) Change default JEXL configuration to a more security-friendly behaviour

Tue, 01 Nov 2022 02:48:10 -0700 


    [ 
https://issues.apache.org/jira/browse/JEXL-381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627053#comment-17627053
 ] 

Henri Biestro commented on JEXL-381:
------------------------------------

[~dmitri_blinov] The cost of the @NoJexl annotation check is only incurred once 
during method discovery whilst populating the class cache so I doubt you are 
saving much. As for private method, IMO these should remain hidden from JEXL...

I'm quite interested in your Sandbox/security configuration; at quick glance, 
this did not seem to be in your repo/unit tests but I may have missed it. Care 
to share ? Thank :-)

> Change default JEXL configuration to a more security-friendly behaviour 
> ------------------------------------------------------------------------
>
>                 Key: JEXL-381
>                 URL: https://issues.apache.org/jira/browse/JEXL-381
>             Project: Commons JEXL
>          Issue Type: Improvement
>    Affects Versions: 3.2.1
>            Reporter: Henri Biestro
>            Assignee: Henri Biestro
>            Priority: Major
>             Fix For: 3.3
>
>
> WHAT:
> JEXL's default builder allows accessing and calling any public method, field 
> or constructor of any public class. This might not be desirable since a quick 
> exploration of JEXL will quickly conclude the library allows arbitrary 
> execution through commands (ProcessBuilder) or getting to the file-system 
> through URL or File. This improvement goal is to change JEXL's permeability 
> as an explicit option and user decision, not a default behaviour.
> HOW:
> By changing the current JexlBuilder to use a restricted set of permissions 
> whilst instantiating the Uberspect, we can ensure a minimal useful set of 
> classes can be accessed and only those by default. By removing access to 
> almost all classes that interact with the JVM host and file-system, we ensure 
> a default isolation that would significantly reduce the ability to use JEXL 
> as an attack vector.
> CAVEAT:
> This change will likely break many scripts that were dependant upon the 
> default permeability.
> [~ggregory], [~dmitri_blinov] your opinions are welcome :-)
> https://lists.apache.org/thread/kgh0kfkcvllp5mj7kwnpdqrbrfcyyopd



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to