You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Henri Biestro (Jira)" <ji...@apache.org> on 2022/11/01 09:50:00 UTC

[jira] [Comment Edited] (JEXL-381) Change default JEXL configuration to a more security-friendly behaviour

    [ https://issues.apache.org/jira/browse/JEXL-381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627053#comment-17627053 ] 

Henri Biestro edited comment on JEXL-381 at 11/1/22 9:49 AM:
-------------------------------------------------------------

[~dmitri_blinov] The cost of the @NoJexl annotation check is only incurred once during method discovery whilst populating the class cache so I doubt you are saving much. As for private method, IMO these should remain hidden from JEXL... (java17 is stricter on what can be called from where).

I'm quite interested in your Sandbox/security configuration; at quick glance, this did not seem to be in your repo/unit tests but I may have missed it. Care to share ? Thank :-)


was (Author: henrib):
[~dmitri_blinov] The cost of the @NoJexl annotation check is only incurred once during method discovery whilst populating the class cache so I doubt you are saving much. As for private method, IMO these should remain hidden from JEXL...

I'm quite interested in your Sandbox/security configuration; at quick glance, this did not seem to be in your repo/unit tests but I may have missed it. Care to share ? Thank :-)

> Change default JEXL configuration to a more security-friendly behaviour 
> ------------------------------------------------------------------------
>
>                 Key: JEXL-381
>                 URL: https://issues.apache.org/jira/browse/JEXL-381
>             Project: Commons JEXL
>          Issue Type: Improvement
>    Affects Versions: 3.2.1
>            Reporter: Henri Biestro
>            Assignee: Henri Biestro
>            Priority: Major
>             Fix For: 3.3
>
>
> WHAT:
> JEXL's default builder allows accessing and calling any public method, field or constructor of any public class. This might not be desirable since a quick exploration of JEXL will quickly conclude the library allows arbitrary execution through commands (ProcessBuilder) or getting to the file-system through URL or File. This improvement goal is to change JEXL's permeability as an explicit option and user decision, not a default behaviour.
> HOW:
> By changing the current JexlBuilder to use a restricted set of permissions whilst instantiating the Uberspect, we can ensure a minimal useful set of classes can be accessed and only those by default. By removing access to almost all classes that interact with the JVM host and file-system, we ensure a default isolation that would significantly reduce the ability to use JEXL as an attack vector.
> CAVEAT:
> This change will likely break many scripts that were dependant upon the default permeability.
> [~ggregory], [~dmitri_blinov] your opinions are welcome :-)
> https://lists.apache.org/thread/kgh0kfkcvllp5mj7kwnpdqrbrfcyyopd



--
This message was sent by Atlassian Jira
(v8.20.10#820010)