[
https://issues.apache.org/jira/browse/JEXL-381?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17629364#comment-17629364
]
Henri Biestro edited comment on JEXL-381 at 11/5/22 5:29 PM:
-------------------------------------------------------------
But internally, permissions use package/class/method names as strings to avoid
keeping references to classes; so it's probably possible to expose those and
check during namespace pragma handling. It would not cover the superclass case
though - when the superclass has been denied access, we'd still have to load to
know.
Actually, I'm not completely sure that loading the class implies executing the
static initializers.
It may also make sense anyway to expose this as a syntactic feature.
was (Author: henrib):
But internally, permissions use package/class/method names as strings to avoid
keeping references to classes; so it's probably possible to expose those and
check during namespace pragma handling. It would not cover the superclass case
though - when the superclass has been denied access, we'd still have to load to
know.
It may also make sense anyway to expose this as a syntactic feature.
> Change default JEXL configuration to a more security-friendly behaviour
> ------------------------------------------------------------------------
>
> Key: JEXL-381
> URL: https://issues.apache.org/jira/browse/JEXL-381
> Project: Commons JEXL
> Issue Type: Improvement
> Affects Versions: 3.2.1
> Reporter: Henri Biestro
> Assignee: Henri Biestro
> Priority: Major
> Fix For: 3.3
>
>
> WHAT:
> JEXL's default builder allows accessing and calling any public method, field
> or constructor of any public class. This might not be desirable since a quick
> exploration of JEXL will quickly conclude the library allows arbitrary
> execution through commands (ProcessBuilder) or getting to the file-system
> through URL or File. This improvement goal is to change JEXL's permeability
> as an explicit option and user decision, not a default behaviour.
> HOW:
> By changing the current JexlBuilder to use a restricted set of permissions
> whilst instantiating the Uberspect, we can ensure a minimal useful set of
> classes can be accessed and only those by default. By removing access to
> almost all classes that interact with the JVM host and file-system, we ensure
> a default isolation that would significantly reduce the ability to use JEXL
> as an attack vector.
> CAVEAT:
> This change will likely break many scripts that were dependant upon the
> default permeability.
> [~ggregory], [~dmitri_blinov] your opinions are welcome :-)
> https://lists.apache.org/thread/kgh0kfkcvllp5mj7kwnpdqrbrfcyyopd
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
