You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@couchdb.apache.org by "Paul Joseph Davis (JIRA)" <ji...@apache.org> on 2010/10/09 03:18:59 UTC

[jira] Updated: (COUCHDB-622) erlview sandboxing via parse transform

     [ https://issues.apache.org/jira/browse/COUCHDB-622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Paul Joseph Davis updated COUCHDB-622:
--------------------------------------

    Skill Level: New Contributors Level (Easy)

> erlview sandboxing via parse transform
> --------------------------------------
>
>                 Key: COUCHDB-622
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-622
>             Project: CouchDB
>          Issue Type: Improvement
>            Reporter: Brian Candler
>            Priority: Minor
>
> I'm just adding this ticket so I don't forget about it.
> It's possible to improve the safety of the native erlang view server, just by doing a simple walk of the parsed abstract form. I think all we need to do is forbid calls to functions in all external modules m:f(), except for whitelisted modules (e.g. io_lib, lists) or specific functions. We also need a whitelist of BIFs.
> Some care may be needed for imported functions - check if they are already expanded to m:f() in the abstract form, or remain as f().
> My main concern is preventing things like os:cmd(). There are also many possible DoS attacks, like atom exhaustion or spawning infinite numbers of processes. However, most view definitions aren't going to need spawn() or list_to_atom(). A configurable whitelist could be very tight by default, but still allow admins to allow any specific functions they need.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.