Allow users to write their own VTL

[David Esposito <es...@newnetco.com>]

I'm debating whether to add a feature to a web application I have ... The
web application allows people to compose their own  emails and send it to a
mailing list ... We have the need to allow "mail merge" type features ... So
that people can put things like:

Dear ##first_name##,

Your last appointment was ##LastAppointmentDate##. We have openings this
month and are offering them at 50% discount.


Anyway, you get the picture ...

The problem is, we don't always have data for the variables that we want to
allow replacement on ... So if we didn't have the LastAppointmentDate, we'd
like to remove that whole sentence ... So this is where Velocity comes in
... What if we allowed our users to write their own VTL expressions?

Dear $first_name,

#if($LastAppointmentDate)Your last appointment was $LastAppointmentDate.#end
We have openings this month and are offering them at 50% discount.

We'd use Velocity.evaluate() to render the string ...

My question is: Can you think of a way for a creative (malicious) user to
get a handle to a System or Runtime object using reflection ...

$first_name.getClass().forName("java.lang.Runtime").getMethod("exec",$first_
name.getClass()).invoke()


Would the above work? (obviously fixing up the syntax a bit) ...

Do I need to create a seperate class loader that denies access to
java.lang.System and java.lang.Runtime? Has anyone crossed this hurdle
before? Or is it just too hard to control security?

-Dave


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>