Hi Sarel; This is very interesting; I'm also evaluating options to implement "sandboxed" evaluation.
1. The "white-list" classes could be addressed by (adding code to) filter which classes can be instantiated (a pattern matching on the full class name or even further, a JEXL expression to use as a condition). 1bis: There is also the case of "white-list" properties where you may want to hide some properties; an annotation would come to mind but this is intrusive. A less intrusive one would be to describe those as a map of class name to allowed method names/signatures list. The Uberspect could most likely be derived to handle the filtering. It could also handle the getClass and forName (2) issue since this is can be see as a specialized filter on Object and Class / ClassLoader. 3. It may be easier to put a file() and/or url() function on the top-level context (ie in the JexlContext) that filter the path (pattern matching or JEXL expression) and of course, filter out the File and URL classes. By only providing what can be accessed through functions, we flank the problem of resource access in a generic unintrusive way. 4. I would tend to rely on the Interpreter class (rather than the JexlArithmetic) which is definitely involved in each call; override each visit method, check if time did not run-out and delegate to original visit if ok. No external watchdog would be needed this way; may be a dedicated (runtime) exception could be used to traverse up the stack and end the script. This could be provided as a SandBoxed engine - created from a JexlEngine instance through a createSandboxed(Map<String, List<String>> whiteList, int timeOut) to filter classes/methods - that would wrap/delegate to a filtering Uberspect and time-checking Interpreter. Comments, loopholes, etc more than welcome. :-) Cheers Henrib -- View this message in context: http://apache-commons.680414.n4.nabble.com/jexl-JEXL-Secure-Sandbox-tp3626959p3650468.html Sent from the Commons - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
