esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vassil Dichev <vdic...@apache.org>
Subject Re: Scala interpreter action
Date Mon, 06 Jul 2009 19:38:53 GMT
> Upon more reflection, I think any form of code that can read/write files on
> the local filesystem and/or open TCP connections to localhost or anywhere
> else presents a danger.  Think about how long it took to secure
> browser-based Java implementations.  I just see a high resource consumption
> cycle of finding hole/fixing hole... all for a feature that's not part of
> the main purpose of the project.
>
> The above comments apply to Scala as well as JavaScript via Rhino... I just
> don't think it can be done securely.
>
> With that being said, what I propose is keeping the code in, having it
> disabled by default, making sure there's a huge warning associated with the
> option that it gives users a lot of power on the machine and it should only
> be enabled if you're running behind a firewall and with only known and
> trusted users.  Finally, when I get the federation stuff in, I'll disable
> federation with any instance that has this feature turned on.  That'll calm
> my concerns about network attacks.

You have a point. I always insisted that this feature should be off by
default and assumed it's worse than it actually is. Still, I managed
to execute a DB query through lift in the embedded Derby DB. I know
it's possible to secure the database if you use a separate process,
and you restrict the access to the property file containing the
credentials and... eventually it's better to restrict this whole class
of vulnerabilities rather than rely on admins to be able to plug every
little one of those holes.

> PS -- I really do like this feature in the abstract.  I think it's cool.
> It's the former CTO of a security company part of me that rears its ugly
> head when I see stuff that allows for semi-controlled code to be executed
> from unknown parties.

All right, given the example with Rhino I was just wondering whether
there was something I was not doing right or it's just the nature of
the problem.

A similar but safer way for monitoring would be to have a set of
commands for querying different types of stats, all parsed through a
statically checked parser combinator.

Vassil

Mime
View raw message