kezhenxu94 commented on issue #7168: URL: https://github.com/apache/skywalking/issues/7168#issuecomment-897301321
> > > > Then we need to harden the LAL engine to make it more secure > > > > > > > > > Yes, we need to control its runtime scope. In and in debug sandbox only. Also this mechanism could benefit the MAL debug tool. > > > > > > Sandboxing the Groovy runtime is also very complex and may bring CVEs, I once did some research on this too and found https://github.com/jenkinsci/groovy-sandbox, which is not a general-purpose tool but can be reference, it also has some limitations. > > Sorry for misleading. I am not taking about real sandbox. What I want to say is, we need to determine which variables and methods are allowed in the groovy runtime we build, because in MAL or LAL case, we don't allow to use Java class or any 3rd party class. They are basically the same complexity, to build a boundary that what codes can be run and what codes cannot, https://github.com/jenkinsci/groovy-sandbox is for the same purpose as our use case. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
