commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From henrib <>
Subject Re: [jexl] JEXL Secure Sandbox
Date Thu, 07 Jul 2011 01:46:21 GMT
Hi Sarel;

This is very interesting; I'm also evaluating options to implement
"sandboxed" evaluation.

1. The "white-list" classes could be addressed by (adding code to) filter
which classes can be instantiated (a pattern matching on the full class name
or even further, a JEXL expression to use as a condition).
1bis: There is also the case of "white-list" properties where you may want
to hide some properties; an annotation would come to mind but this is
intrusive.  A less intrusive one would be to describe those as a map of
class name to allowed method names/signatures list.

The Uberspect could most likely be derived to handle the filtering. It could
also handle the getClass and forName (2) issue since this is can be see as a
specialized filter on Object and Class / ClassLoader.

3. It may be easier to put a file() and/or url() function on the top-level
context (ie in the JexlContext) that filter the path (pattern matching or
JEXL expression) and of course, filter out the File and URL classes. By only
providing what can be accessed through functions, we flank the problem of
resource access in a generic unintrusive way.

4. I would tend to rely on the Interpreter class (rather than the
JexlArithmetic) which is definitely involved in each call; override each
visit method, check if time did not run-out and delegate to original visit
if ok. No external watchdog would be needed this way; may be a dedicated
(runtime) exception could be used to traverse up the stack and end the

This could be provided as a SandBoxed engine - created from a JexlEngine
instance through a createSandboxed(Map&lt;String, List&lt;String&gt;>
whiteList, int timeOut) to filter classes/methods - that would wrap/delegate
to a filtering Uberspect and time-checking Interpreter.

Comments, loopholes, etc more than welcome. :-)

View this message in context:
Sent from the Commons - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message