[jira] [Updated] (TINKERPOP-2835) Query translation ignores sandbox limitations

["Dan Snoddy (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/TINKERPOP-2835?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Snoddy updated TINKERPOP-2835:
----------------------------------
    Description: 
When I run a query such as g.V().has('NAME',System.getenv()) our sandbox configuration blocks the execution of System.getenv(), however if the request is passed to one of the translators (e.g. GroovyTranslator), the query is executed (and could be used to reboot a machine, kill the Java VM, run OS level commands, etc):

`g.V().has("NAME",[("PATH"): ("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin .....`

 

  was:
When I run a query such as g.V().has('NAME',System.getenv()) our sandbox configuration blocks the execution of System.getenv(), however if the request is passed to one of the translators (e.g. GroovyTranslator), the query is executed (and could be used to reboot a machine, kill the Java VM, run OS level commands, etc):



g.V().has("NAME",[("PATH"):("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin .....

 


> Query translation ignores sandbox limitations
> ---------------------------------------------
>
>                 Key: TINKERPOP-2835
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2835
>             Project: TinkerPop
>          Issue Type: Bug
>            Reporter: Dan Snoddy
>            Priority: Critical
>
> When I run a query such as g.V().has('NAME',System.getenv()) our sandbox configuration blocks the execution of System.getenv(), however if the request is passed to one of the translators (e.g. GroovyTranslator), the query is executed (and could be used to reboot a machine, kill the Java VM, run OS level commands, etc):
> `g.V().has("NAME",[("PATH"): ("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin .....`
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)