You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Henri Biestro (Jira)" <ji...@apache.org> on 2022/10/21 17:24:00 UTC

[jira] [Created] (JEXL-381) Change default JEXL configuration to a more security-friendly behaviour

Henri Biestro created JEXL-381:
----------------------------------

             Summary: Change default JEXL configuration to a more security-friendly behaviour 
                 Key: JEXL-381
                 URL: https://issues.apache.org/jira/browse/JEXL-381
             Project: Commons JEXL
          Issue Type: Improvement
    Affects Versions: 3.2.1
            Reporter: Henri Biestro
            Assignee: Henri Biestro
             Fix For: 3.3


WHAT:

JEXL's default builder allows accessing and calling any public method, field or constructor of any public class. This might not be desirable since a quick exploration of JEXL will quickly conclude the library allows arbitrary execution through commands (ProcessBuilder) or getting to the file-system through URL or File. This improvement goal is to change JEXL's permeability as an explicit option and user decision, not a default behaviour.

HOW:

By changing the current JexlBuilder to use a restricted set of permissions whilst instantiating the Uberspect, we can ensure a minimal useful set of classes can be accessed and only those by default. By removing access to almost all classes that interact with the JVM host and file-system, we ensure a default isolation that would significantly reduce the ability to use JEXL as an attack vector.

CAVEAT:

This change will likely break many scripts that were dependant upon the default permeability.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)