couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Candler (JIRA)" <j...@apache.org>
Subject [jira] Created: (COUCHDB-622) erlview sandboxing via parse transform
Date Wed, 13 Jan 2010 06:05:57 GMT
erlview sandboxing via parse transform
--------------------------------------

                 Key: COUCHDB-622
                 URL: https://issues.apache.org/jira/browse/COUCHDB-622
             Project: CouchDB
          Issue Type: Improvement
            Reporter: Brian Candler
            Priority: Minor


I'm just adding this ticket so I don't forget about it.

It's possible to improve the safety of the native erlang view server, just by doing a simple
walk of the parsed abstract form. I think all we need to do is forbid calls to functions in
all external modules m:f(), except for whitelisted modules (e.g. io_lib, lists) or specific
functions. We also need a whitelist of BIFs.

Some care may be needed for imported functions - check if they are already expanded to m:f()
in the abstract form, or remain as f().

My main concern is preventing things like os:cmd(). There are also many possible DoS attacks,
like atom exhaustion or spawning infinite numbers of processes. However, most view definitions
aren't going to need spawn() or list_to_atom(). A configurable whitelist could be very tight
by default, but still allow admins to allow any specific functions they need.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message