couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Candler (JIRA)" <>
Subject [jira] Created: (COUCHDB-622) erlview sandboxing via parse transform
Date Wed, 13 Jan 2010 06:05:57 GMT
erlview sandboxing via parse transform

                 Key: COUCHDB-622
             Project: CouchDB
          Issue Type: Improvement
            Reporter: Brian Candler
            Priority: Minor

I'm just adding this ticket so I don't forget about it.

It's possible to improve the safety of the native erlang view server, just by doing a simple
walk of the parsed abstract form. I think all we need to do is forbid calls to functions in
all external modules m:f(), except for whitelisted modules (e.g. io_lib, lists) or specific
functions. We also need a whitelist of BIFs.

Some care may be needed for imported functions - check if they are already expanded to m:f()
in the abstract form, or remain as f().

My main concern is preventing things like os:cmd(). There are also many possible DoS attacks,
like atom exhaustion or spawning infinite numbers of processes. However, most view definitions
aren't going to need spawn() or list_to_atom(). A configurable whitelist could be very tight
by default, but still allow admins to allow any specific functions they need.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message