Probably you only can detect something trivial like a while(true) {... }
analyzing the code. But beyond that... Well it's the "Halting problem" (
https://en.wikipedia.org/wiki/Halting_problem ) :
In computability theory
<https://en.wikipedia.org/wiki/Computability_theory_(computer_science)>,
the *halting problem* is the problem of determining, from a
description of an arbitrary computer program
<https://en.wikipedia.org/wiki/Computer_program> and an input,
whether the program will finish running, or continue to run forever.
The halting problem is /undecidable
<https://en.wikipedia.org/wiki/Undecidable_problem>/, meaning that
no general algorithm <https://en.wikipedia.org/wiki/Algorithm>
exists that solves the halting problem for all possible
program–input pairs.
El 7/8/23 a las 11:02, Aditya Kumar1 escribió:
Hi,
I am planning to use JEXL library in my SaaS based product to run
JavaScripts/JexlScripts(I understand, Jexl is not exactly java script).
Since, security is one of the most important requirements for any SaaS
based product, I am going to use Jexl Sandbox and Jexl Features to
secure my application. I see that in Jexl features, we have a way to
turn off the loops but for my requirement, I need to enable loops in
the scripts.
Is there a way detect infinite loops incase someone write’s such an
expression which turn into infinite loop during evaluation? Also,
someone can also try to sabotage our application by running infinite
loops. Is there a way to detect and avoid such a security issue?
PS: I would really appreciate if you could let me know any other
security aspects which I need to consider while using JEXL library.
Thanks,
Aditya
*—*
*Aditya Kumar1*
Technology Architect
Precisely.com <http://www.precisely.com>
<https://www.precisely.com/>
<https://rc.precisely.com/trust23-data-integrity-summit?utm_source=Direct-Traffic&utm_medium=Email-Signature&utm_campaign=Data-Integrity_Global_Virtual-Event-Data-Integrity-Summit-Trust23_2023-Q2-16-May&utm_content=Data-Integrity_Virtual-Event-Data-Integrity-Summit-Trust23_2023-Q2-May>
------------------------------------------------------------------------
ATTENTION: -----
The information contained in this message (including any files
transmitted with this message) may contain proprietary, trade secret
or other confidential and/or legally privileged information. Any
pricing information contained in this message or in any files
transmitted with this message is always confidential and cannot be
shared with any third parties without prior written approval from
Precisely. This message is intended to be read only by the individual
or entity to whom it is addressed or by their designee. If the reader
of this message is not the intended recipient, you are on notice that
any use, disclosure, copying or distribution of this message, in any
form, is strictly prohibited. If you have received this message in
error, please immediately notify the sender and/or Precisely and
destroy all copies of this message in your possession, custody or control.