Also, trying eval() function of nashorn On Thu, Feb 6, 2020 at 2:15 PM Anurag Sharma <[email protected]> wrote:
> Thanks Emanuel and Mike for answers, > > Interestingly, "Script File" allows "variable register only" expression > language scope. Since we would want to run a different script for each flow > file it would also not work for us :( > > Since our use-case is to run Javascript code, we are looking at 2 options: > 1) Modifying Execute Script Processor code itself. > 2) Calling external serverless service to run Javascript. > > Let us know your thoughts. > > Regards > Anurag > > > > > On Thu, Feb 6, 2020 at 5:17 AM Mike Thomsen <[email protected]> > wrote: > >> What you probably should do for security sake is use flowfile attributes >> and/or dynamic properties on ExecuteScript to dynamic identify a script on >> the file system to execute and what parameters to give it for configuring >> it. >> >> On Wed, Feb 5, 2020 at 6:45 PM Mike Thomsen <[email protected]> >> wrote: >> >>> > What are all possible ways to achieve this functionality? >>> >>> An eval function. Don't know the right way to do it with Nashorn, but in >>> Groovy you could accomplish this like this: >>> >>> def ff = session.get() >>> if (ff) { >>> def attr_val = ff.getAttribute("myScript") >>> def result = Eval.me(attr_val) >>> } >>> >>> That said, I'd definitely get signoffs from other parties on how this >>> fits in because if the people don't sanitize the config files, you've just >>> created a remote code execution hole in your ETL pipeline. >>> >>> Hope that helps. >>> >>> On Wed, Feb 5, 2020 at 2:15 PM Anurag Sharma <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> >>>> We are trying to create a generic data flow where configuration will be >>>> received as JSON. Configuration will have a JavaScript to be executed. >>>> >>>> >>>> >>>> We are stuck on how to execute the script we received in configuration, >>>> as the ExecuteScript processor needs either scriptPath or scriptBody. But >>>> in our case script will be in flowFile's attribute. >>>> >>>> >>>> >>>> What are all possible ways to achieve this functionality? >>>> >>>> >>>> >>>> Along with this, the script should not be able to access the 'session' >>>> and 'context' variables available in the ExecuteScript processor. So how to >>>> sanitise the script before execution? >>>> >>>> >>>> Regards >>>> >>>> Anurag >>>> >>>
