couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Shorin (JIRA)" <>
Subject [jira] [Updated] (COUCHDB-622) erlview sandboxing via parse transform
Date Thu, 20 Jun 2013 12:28:20 GMT


Alexander Shorin updated COUCHDB-622:

    Component/s: View Server Support
> erlview sandboxing via parse transform
> --------------------------------------
>                 Key: COUCHDB-622
>                 URL:
>             Project: CouchDB
>          Issue Type: Improvement
>          Components: View Server Support
>            Reporter: Brian Candler
>            Priority: Minor
> I'm just adding this ticket so I don't forget about it.
> It's possible to improve the safety of the native erlang view server, just by doing a
simple walk of the parsed abstract form. I think all we need to do is forbid calls to functions
in all external modules m:f(), except for whitelisted modules (e.g. io_lib, lists) or specific
functions. We also need a whitelist of BIFs.
> Some care may be needed for imported functions - check if they are already expanded to
m:f() in the abstract form, or remain as f().
> My main concern is preventing things like os:cmd(). There are also many possible DoS
attacks, like atom exhaustion or spawning infinite numbers of processes. However, most view
definitions aren't going to need spawn() or list_to_atom(). A configurable whitelist could
be very tight by default, but still allow admins to allow any specific functions they need.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message