What you probably should do for security sake is use flowfile attributes and/or dynamic properties on ExecuteScript to dynamic identify a script on the file system to execute and what parameters to give it for configuring it.
On Wed, Feb 5, 2020 at 6:45 PM Mike Thomsen <[email protected]> wrote: > > What are all possible ways to achieve this functionality? > > An eval function. Don't know the right way to do it with Nashorn, but in > Groovy you could accomplish this like this: > > def ff = session.get() > if (ff) { > def attr_val = ff.getAttribute("myScript") > def result = Eval.me(attr_val) > } > > That said, I'd definitely get signoffs from other parties on how this fits > in because if the people don't sanitize the config files, you've just > created a remote code execution hole in your ETL pipeline. > > Hope that helps. > > On Wed, Feb 5, 2020 at 2:15 PM Anurag Sharma <[email protected]> > wrote: > >> Hi, >> >> >> We are trying to create a generic data flow where configuration will be >> received as JSON. Configuration will have a JavaScript to be executed. >> >> >> >> We are stuck on how to execute the script we received in configuration, >> as the ExecuteScript processor needs either scriptPath or scriptBody. But >> in our case script will be in flowFile's attribute. >> >> >> >> What are all possible ways to achieve this functionality? >> >> >> >> Along with this, the script should not be able to access the 'session' >> and 'context' variables available in the ExecuteScript processor. So how to >> sanitise the script before execution? >> >> >> Regards >> >> Anurag >> >
