> Upon more reflection, I think any form of code that can read/write files on > the local filesystem and/or open TCP connections to localhost or anywhere > else presents a danger. Think about how long it took to secure > browser-based Java implementations. I just see a high resource consumption > cycle of finding hole/fixing hole... all for a feature that's not part of > the main purpose of the project. > > The above comments apply to Scala as well as JavaScript via Rhino... I just > don't think it can be done securely. > > With that being said, what I propose is keeping the code in, having it > disabled by default, making sure there's a huge warning associated with the > option that it gives users a lot of power on the machine and it should only > be enabled if you're running behind a firewall and with only known and > trusted users. Finally, when I get the federation stuff in, I'll disable > federation with any instance that has this feature turned on. That'll calm > my concerns about network attacks.
You have a point. I always insisted that this feature should be off by default and assumed it's worse than it actually is. Still, I managed to execute a DB query through lift in the embedded Derby DB. I know it's possible to secure the database if you use a separate process, and you restrict the access to the property file containing the credentials and... eventually it's better to restrict this whole class of vulnerabilities rather than rely on admins to be able to plug every little one of those holes. > PS -- I really do like this feature in the abstract. I think it's cool. > It's the former CTO of a security company part of me that rears its ugly > head when I see stuff that allows for semi-controlled code to be executed > from unknown parties. All right, given the example with Rhino I was just wondering whether there was something I was not doing right or it's just the nature of the problem. A similar but safer way for monitoring would be to have a set of commands for querying different types of stats, all parsed through a statically checked parser combinator. Vassil
