RE: [JEXL] Detecting infinite loops in JEXL Scripts
Thanks, Henri, for a quick reply. Really appreciate it. - Aditya Kumar1 Technology Architect Precisely.com -Original Message- From: Henri Biestro Sent: Monday, August 7, 2023 5:09 PM To: dev@commons.apache.org Subject: Re: [JEXL] Detecting infinite loops in JEXL Scripts This message originated Externally. Use proper judgement and caution with attachments, links, or responses. Ho: You should look at using JexlPermission which are probably easier and more powerful than the JexlSandbox to enforce application security. For loops, since there is no obvious guaranteed way to ensure they finish, the possible route is to let scripts run in threads and cancel them if they run for too long. (see ScriptCallableTest#testFuture). Cheers On 2023/08/07 10:59:58 Aditya Kumar1 wrote: > Hi, > > I am planning to use JEXL library in my SaaS based product to run > JavaScripts/JexlScripts(I understand, Jexl is not exactly java script). > > Since, security is one of the most important requirements for any SaaS based > product, I am going to use Jexl Sandbox and Jexl Features to secure my > application. I see that in Jexl features, we have a way to turn off the loops > but for my requirement, I need to enable loops in the scripts. > > Is there a way detect infinite loops incase someone write's such an > expression which turn into infinite loop during evaluation? Also, someone can > also try to sabotage our application by running infinite loops. Is there a > way to detect and avoid such a security issue? > > PS: I would really appreciate if you could let me know any other security > aspects which I need to consider while using JEXL library. > > Thanks, > Aditya > > > — > Aditya Kumar1 > Technology Architect > Precisely.com > > ATTENTION: -The information contained in this message (including any > files transmitted with this message) may contain proprietary, trade secret or > other confidential and/or legally privileged information. Any pricing > information contained in this message or in any files transmitted with this > message is always confidential and cannot be shared with any third parties > without prior written approval from Precisely. This message is intended to be > read only by the individual or entity to whom it is addressed or by their > designee. If the reader of this message is not the intended recipient, you > are on notice that any use, disclosure, copying or distribution of this > message, in any form, is strictly prohibited. If you have received this > message in error, please immediately notify the sender and/or Precisely and > destroy all copies of this message in your possession, custody or control. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons DbUtils 1.8.0 based on RC1
+1 Build and tests running fine from the tag on Apache Maven 3.8.5 (3599d3414f046de2324203b78ddcf9b5e4388aa0) Maven home: /opt/apache-maven-3.8.5 Java version: 17.0.8, vendor: Private Build, runtime: /usr/lib/jvm/java-17-openjdk-amd64 Default locale: en_US, platform encoding: UTF-8 OS name: "linux", version: "5.15.0-78-generic", arch: "amd64", family: "unix" Cheers Bruno On Mon, 7 Aug 2023 at 17:21, Gary Gregory wrote: > Hi, > > It looks like your are a committer but are not on the PMC based on > https://projects.apache.org/committee.html?commons meaning your vote is > appreciated but not binding for the purpose of this vote. > > Thank you, > Gary > > On Mon, Aug 7, 2023, 10:49 AM William Speirs wrote: > > > +1 if my vote still counts > > > > On Sat, Aug 5, 2023 at 4:29 PM Gary Gregory > > wrote: > > > > > Could I get more PMC reviews please? > > > > > > Gary > > > > > > On Tue, Aug 1, 2023, 8:40 PM Gary Gregory > > wrote: > > > > > > > We have fixed a few bugs and added some enhancements since Apache > > > > Commons DbUtils 1.7 was released, so I would like to release Apache > > > > Commons DbUtils 1.8.0. > > > > > > > > Apache Commons DbUtils 1.8.0 RC1 is available for review here: > > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1 > > > > (svn revision 63303) > > > > > > > > The Git tag commons-dbutils-1.8.0-RC1 commit for this RC is > > > > 675cfcd2f68b03254746c24d76a83a23dcddc6a2 which you can browse here: > > > > > > > > > > > > > > https://gitbox.apache.org/repos/asf?p=commons-dbutils.git;a=commit;h=675cfcd2f68b03254746c24d76a83a23dcddc6a2 > > > > You may checkout this tag using: > > > > git clone > https://gitbox.apache.org/repos/asf/commons-dbutils.git > > > > --branch < > > > https://gitbox.apache.org/repos/asf/commons-dbutils.git--branch> > > > > commons-dbutils-1.8.0-RC1 commons-dbutils-1.8.0-RC1 > > > > > > > > Maven artifacts are here: > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1648/commons-dbutils/commons-dbutils/1.8.0/ > > > > > > > > These are the artifacts and their hashes: > > > > > > > > #Release SHA-512s > > > > #Tue Aug 01 20:32:34 EDT 2023 > > > > > > > > > > > > > > commons-dbutils-1.8.0-src.tar.gz=be1af717639a605d9510e2ac7435c0f06ba37ce8700e93f38e3f71a83ea2758c71821545d7271adc5ae7d9506c1f557386ee9b67a4979f9ab3fe7cb27a08e179 > > > > > > > > > > > > > > commons-dbutils_commons-dbutils-1.8.0.spdx.json=295f2decdbf6e68696b5c44939029deec01ae8619dae4093b617f4171968cf8b281bd723815331e124a807fb1c5e74b5c22cf6c146281857874f1be38ef12cde > > > > > > > > > > > > > > commons-dbutils-1.8.0-sources.jar=6ab3192fb57bbdabfeb5f9992e3922cf7e6ef221d3ec5a7d66bd079406f6235058bfb6f115fa3e1ad7c8e02cd65fbb00adebf65c9c8914ba2758b30c24d97e32 > > > > > > > > > > > > > > commons-dbutils-1.8.0-bom.json=6f939509e9cf901fab00c5e45e38ca8dcfe81c35069c97a270e0ba89f0d557feddd5f98b1320ed346e401e7be5a560325c021b6d8ba55ea2b0ea0a8652d037cb > > > > > > > > > > > > > > commons-dbutils-1.8.0-test-sources.jar=dac78668a91c6d3eed45f591a8a2c83f3cfc4871bd3a478aa0ed117ad6b315f9e14c43e38aafcf8b6e4f2e4e8076802dc2481d3bc1950f2cb928e74685cee960 > > > > > > > > > > > > > > commons-dbutils-1.8.0-src.zip=0af2de984787938c1277cf34a5e54cf50dd1674e962cc7280c47f6129ceeda86f8e18e422056dbf859f774cc65135e786552bb4847869e1f6e4c6f3bb089e9c7 > > > > > > > > > > > > > > commons-dbutils-1.8.0-bom.xml=5d7be2ff22c55ce73022230a4f2242b9d43c9fe6dcf1cda552d19c4bcb255222adb78774bdfc57f0159da947ea65509fd63ad568c79f5fed51e4bb3a2ae8142b > > > > > > > > > > > > > > commons-dbutils-1.8.0-bin.zip=76ebf30c465218022210f4e6ffc61756360a949156b5b3100ff9024ae6d782c328624b3bf1149280b0df4c466d3b4687efa92e6f9c483fc800bac47eddb0fbf5 > > > > > > > > > > > > > > commons-dbutils-1.8.0-javadoc.jar=453cdd7517bc1f1ab0fb48e57d2795e8d1ded586246640a77b2b71d10c227ee7fae9c952f7cb82746be3df3e6544e097219873c732ba7b70271961666c2512bd > > > > > > > > > > > > > > commons-dbutils-1.8.0-bin.tar.gz=1f3832fd5e7a997d93174b8c08f630522b7ef59b878e48ea1aa1f80924290dec6ce56db9ae003c010eec4384e8aea33d8c4b84e4d232bf7ba13ae42b3618e25f > > > > > > > > > > > > > > commons-dbutils-1.8.0-tests.jar=96291ca4e46c5c426c45d65c4a219aeadb2f9fe1b4e18dd293d1a0529b171403a064a59f675707f2cf773a6a813abf8d1b58f3e46f9652a28eec4193d2421c97 > > > > > > > > I have tested this with > > > > > > > > mvn -V -Prelease -Ptest-deploy -P jacoco -P japicmp clean package > site > > > > deploy > > > > > > > > Using: > > > > > > > > Apache Maven 3.9.3 (21122926829f1ead511c958d89bd2f672198ae9f) > > > > Maven home: /usr/local/Cellar/maven/3.9.3/libexec > > > > Java version: 11.0.20, vendor: Homebrew, runtime: > > > > /usr/local/Cellar/openjdk@11 > /11.0.20/libexec/openjdk.jdk/Contents/Home > > > > Default locale: en_US, platform encoding: UTF-8 > > > > OS name: "mac os x", version: "13.5", arch: "x86_64", family: "mac" > > > > Darwin gdg-mac-mini.local 22.6.0 Darwin Kernel Version 22.6.0: Wed > Jul > > > > 5 22:21:56 PDT 2023; root:xnu-8796.141.3~
Re: [VOTE] Release Apache Commons DbUtils 1.8.0 based on RC1
Hi, It looks like your are a committer but are not on the PMC based on https://projects.apache.org/committee.html?commons meaning your vote is appreciated but not binding for the purpose of this vote. Thank you, Gary On Mon, Aug 7, 2023, 10:49 AM William Speirs wrote: > +1 if my vote still counts > > On Sat, Aug 5, 2023 at 4:29 PM Gary Gregory > wrote: > > > Could I get more PMC reviews please? > > > > Gary > > > > On Tue, Aug 1, 2023, 8:40 PM Gary Gregory > wrote: > > > > > We have fixed a few bugs and added some enhancements since Apache > > > Commons DbUtils 1.7 was released, so I would like to release Apache > > > Commons DbUtils 1.8.0. > > > > > > Apache Commons DbUtils 1.8.0 RC1 is available for review here: > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1 > > > (svn revision 63303) > > > > > > The Git tag commons-dbutils-1.8.0-RC1 commit for this RC is > > > 675cfcd2f68b03254746c24d76a83a23dcddc6a2 which you can browse here: > > > > > > > > > https://gitbox.apache.org/repos/asf?p=commons-dbutils.git;a=commit;h=675cfcd2f68b03254746c24d76a83a23dcddc6a2 > > > You may checkout this tag using: > > > git clone https://gitbox.apache.org/repos/asf/commons-dbutils.git > > > --branch < > > https://gitbox.apache.org/repos/asf/commons-dbutils.git--branch> > > > commons-dbutils-1.8.0-RC1 commons-dbutils-1.8.0-RC1 > > > > > > Maven artifacts are here: > > > > > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1648/commons-dbutils/commons-dbutils/1.8.0/ > > > > > > These are the artifacts and their hashes: > > > > > > #Release SHA-512s > > > #Tue Aug 01 20:32:34 EDT 2023 > > > > > > > > > commons-dbutils-1.8.0-src.tar.gz=be1af717639a605d9510e2ac7435c0f06ba37ce8700e93f38e3f71a83ea2758c71821545d7271adc5ae7d9506c1f557386ee9b67a4979f9ab3fe7cb27a08e179 > > > > > > > > > commons-dbutils_commons-dbutils-1.8.0.spdx.json=295f2decdbf6e68696b5c44939029deec01ae8619dae4093b617f4171968cf8b281bd723815331e124a807fb1c5e74b5c22cf6c146281857874f1be38ef12cde > > > > > > > > > commons-dbutils-1.8.0-sources.jar=6ab3192fb57bbdabfeb5f9992e3922cf7e6ef221d3ec5a7d66bd079406f6235058bfb6f115fa3e1ad7c8e02cd65fbb00adebf65c9c8914ba2758b30c24d97e32 > > > > > > > > > commons-dbutils-1.8.0-bom.json=6f939509e9cf901fab00c5e45e38ca8dcfe81c35069c97a270e0ba89f0d557feddd5f98b1320ed346e401e7be5a560325c021b6d8ba55ea2b0ea0a8652d037cb > > > > > > > > > commons-dbutils-1.8.0-test-sources.jar=dac78668a91c6d3eed45f591a8a2c83f3cfc4871bd3a478aa0ed117ad6b315f9e14c43e38aafcf8b6e4f2e4e8076802dc2481d3bc1950f2cb928e74685cee960 > > > > > > > > > commons-dbutils-1.8.0-src.zip=0af2de984787938c1277cf34a5e54cf50dd1674e962cc7280c47f6129ceeda86f8e18e422056dbf859f774cc65135e786552bb4847869e1f6e4c6f3bb089e9c7 > > > > > > > > > commons-dbutils-1.8.0-bom.xml=5d7be2ff22c55ce73022230a4f2242b9d43c9fe6dcf1cda552d19c4bcb255222adb78774bdfc57f0159da947ea65509fd63ad568c79f5fed51e4bb3a2ae8142b > > > > > > > > > commons-dbutils-1.8.0-bin.zip=76ebf30c465218022210f4e6ffc61756360a949156b5b3100ff9024ae6d782c328624b3bf1149280b0df4c466d3b4687efa92e6f9c483fc800bac47eddb0fbf5 > > > > > > > > > commons-dbutils-1.8.0-javadoc.jar=453cdd7517bc1f1ab0fb48e57d2795e8d1ded586246640a77b2b71d10c227ee7fae9c952f7cb82746be3df3e6544e097219873c732ba7b70271961666c2512bd > > > > > > > > > commons-dbutils-1.8.0-bin.tar.gz=1f3832fd5e7a997d93174b8c08f630522b7ef59b878e48ea1aa1f80924290dec6ce56db9ae003c010eec4384e8aea33d8c4b84e4d232bf7ba13ae42b3618e25f > > > > > > > > > commons-dbutils-1.8.0-tests.jar=96291ca4e46c5c426c45d65c4a219aeadb2f9fe1b4e18dd293d1a0529b171403a064a59f675707f2cf773a6a813abf8d1b58f3e46f9652a28eec4193d2421c97 > > > > > > I have tested this with > > > > > > mvn -V -Prelease -Ptest-deploy -P jacoco -P japicmp clean package site > > > deploy > > > > > > Using: > > > > > > Apache Maven 3.9.3 (21122926829f1ead511c958d89bd2f672198ae9f) > > > Maven home: /usr/local/Cellar/maven/3.9.3/libexec > > > Java version: 11.0.20, vendor: Homebrew, runtime: > > > /usr/local/Cellar/openjdk@11/11.0.20/libexec/openjdk.jdk/Contents/Home > > > Default locale: en_US, platform encoding: UTF-8 > > > OS name: "mac os x", version: "13.5", arch: "x86_64", family: "mac" > > > Darwin gdg-mac-mini.local 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul > > > 5 22:21:56 PDT 2023; root:xnu-8796.141.3~6/RELEASE_X86_64 x86_64 > > > > > > Java 11 is used to produce a JPMS module but the target byte code and > > > API is enforced as Java 8. > > > > > > Details of changes since 1.7 are in the release notes: > > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1/RELEASE-NOTES.txt > > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1/site/changes-report.html > > > > > > Site: > > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1/site/index.html > > > (note some *relative* links are broken and the 1.8.0 directories > > > are not yet created - these will be OK once the site is deployed.) > > > >
Re: [VOTE] Release Apache Commons DbUtils 1.8.0 based on RC1
+1 if my vote still counts On Sat, Aug 5, 2023 at 4:29 PM Gary Gregory wrote: > Could I get more PMC reviews please? > > Gary > > On Tue, Aug 1, 2023, 8:40 PM Gary Gregory wrote: > > > We have fixed a few bugs and added some enhancements since Apache > > Commons DbUtils 1.7 was released, so I would like to release Apache > > Commons DbUtils 1.8.0. > > > > Apache Commons DbUtils 1.8.0 RC1 is available for review here: > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1 > > (svn revision 63303) > > > > The Git tag commons-dbutils-1.8.0-RC1 commit for this RC is > > 675cfcd2f68b03254746c24d76a83a23dcddc6a2 which you can browse here: > > > > > https://gitbox.apache.org/repos/asf?p=commons-dbutils.git;a=commit;h=675cfcd2f68b03254746c24d76a83a23dcddc6a2 > > You may checkout this tag using: > > git clone https://gitbox.apache.org/repos/asf/commons-dbutils.git > > --branch < > https://gitbox.apache.org/repos/asf/commons-dbutils.git--branch> > > commons-dbutils-1.8.0-RC1 commons-dbutils-1.8.0-RC1 > > > > Maven artifacts are here: > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1648/commons-dbutils/commons-dbutils/1.8.0/ > > > > These are the artifacts and their hashes: > > > > #Release SHA-512s > > #Tue Aug 01 20:32:34 EDT 2023 > > > > > commons-dbutils-1.8.0-src.tar.gz=be1af717639a605d9510e2ac7435c0f06ba37ce8700e93f38e3f71a83ea2758c71821545d7271adc5ae7d9506c1f557386ee9b67a4979f9ab3fe7cb27a08e179 > > > > > commons-dbutils_commons-dbutils-1.8.0.spdx.json=295f2decdbf6e68696b5c44939029deec01ae8619dae4093b617f4171968cf8b281bd723815331e124a807fb1c5e74b5c22cf6c146281857874f1be38ef12cde > > > > > commons-dbutils-1.8.0-sources.jar=6ab3192fb57bbdabfeb5f9992e3922cf7e6ef221d3ec5a7d66bd079406f6235058bfb6f115fa3e1ad7c8e02cd65fbb00adebf65c9c8914ba2758b30c24d97e32 > > > > > commons-dbutils-1.8.0-bom.json=6f939509e9cf901fab00c5e45e38ca8dcfe81c35069c97a270e0ba89f0d557feddd5f98b1320ed346e401e7be5a560325c021b6d8ba55ea2b0ea0a8652d037cb > > > > > commons-dbutils-1.8.0-test-sources.jar=dac78668a91c6d3eed45f591a8a2c83f3cfc4871bd3a478aa0ed117ad6b315f9e14c43e38aafcf8b6e4f2e4e8076802dc2481d3bc1950f2cb928e74685cee960 > > > > > commons-dbutils-1.8.0-src.zip=0af2de984787938c1277cf34a5e54cf50dd1674e962cc7280c47f6129ceeda86f8e18e422056dbf859f774cc65135e786552bb4847869e1f6e4c6f3bb089e9c7 > > > > > commons-dbutils-1.8.0-bom.xml=5d7be2ff22c55ce73022230a4f2242b9d43c9fe6dcf1cda552d19c4bcb255222adb78774bdfc57f0159da947ea65509fd63ad568c79f5fed51e4bb3a2ae8142b > > > > > commons-dbutils-1.8.0-bin.zip=76ebf30c465218022210f4e6ffc61756360a949156b5b3100ff9024ae6d782c328624b3bf1149280b0df4c466d3b4687efa92e6f9c483fc800bac47eddb0fbf5 > > > > > commons-dbutils-1.8.0-javadoc.jar=453cdd7517bc1f1ab0fb48e57d2795e8d1ded586246640a77b2b71d10c227ee7fae9c952f7cb82746be3df3e6544e097219873c732ba7b70271961666c2512bd > > > > > commons-dbutils-1.8.0-bin.tar.gz=1f3832fd5e7a997d93174b8c08f630522b7ef59b878e48ea1aa1f80924290dec6ce56db9ae003c010eec4384e8aea33d8c4b84e4d232bf7ba13ae42b3618e25f > > > > > commons-dbutils-1.8.0-tests.jar=96291ca4e46c5c426c45d65c4a219aeadb2f9fe1b4e18dd293d1a0529b171403a064a59f675707f2cf773a6a813abf8d1b58f3e46f9652a28eec4193d2421c97 > > > > I have tested this with > > > > mvn -V -Prelease -Ptest-deploy -P jacoco -P japicmp clean package site > > deploy > > > > Using: > > > > Apache Maven 3.9.3 (21122926829f1ead511c958d89bd2f672198ae9f) > > Maven home: /usr/local/Cellar/maven/3.9.3/libexec > > Java version: 11.0.20, vendor: Homebrew, runtime: > > /usr/local/Cellar/openjdk@11/11.0.20/libexec/openjdk.jdk/Contents/Home > > Default locale: en_US, platform encoding: UTF-8 > > OS name: "mac os x", version: "13.5", arch: "x86_64", family: "mac" > > Darwin gdg-mac-mini.local 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul > > 5 22:21:56 PDT 2023; root:xnu-8796.141.3~6/RELEASE_X86_64 x86_64 > > > > Java 11 is used to produce a JPMS module but the target byte code and > > API is enforced as Java 8. > > > > Details of changes since 1.7 are in the release notes: > > > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1/RELEASE-NOTES.txt > > > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1/site/changes-report.html > > > > Site: > > > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1/site/index.html > > (note some *relative* links are broken and the 1.8.0 directories > > are not yet created - these will be OK once the site is deployed.) > > > > JApiCmp Report (compared to 1.7): > > > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1/site/japicmp.html > > > > RAT Report: > > > > > https://dist.apache.org/repos/dist/dev/commons/dbutils/1.8.0-RC1/site/rat-report.html > > > > KEYS: > > https://downloads.apache.org/commons/KEYS > > > > Please review the release candidate and vote. > > This vote will close no sooner than 72 hours from now. > > > > [ ] +1 Release these artifacts > > [ ] +0 OK, but... > > [ ] -0 OK, but really should
Re: [Meta] gitlab error responses to mailing list
Le lun. 7 août 2023 à 16:38, Gilles Sadowski a écrit : > > Le lun. 7 août 2023 à 10:46, Mark Thomas a écrit : > > > > Got the error message. To help me play hunt the subscriber, can anyone > > provide information on when this behaviour started? > > I got one on Saturday at 11:17, in a thread with >[commons-math] Three Concerns > as subject line. Content was: > ---CUT--- > Unfortunately, your email message to GitLab could not be processed. > > We couldn't figure out what the email is for. Please create your issue > or comment through the web interface. > ---CUT--- And again, just now, in reply to the above message... > > Regards, > Gilles > > >> [...] - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [Meta] gitlab error responses to mailing list
Le lun. 7 août 2023 à 10:46, Mark Thomas a écrit : > > Got the error message. To help me play hunt the subscriber, can anyone > provide information on when this behaviour started? I got one on Saturday at 11:17, in a thread with [commons-math] Three Concerns as subject line. Content was: ---CUT--- Unfortunately, your email message to GitLab could not be processed. We couldn't figure out what the email is for. Please create your issue or comment through the web interface. ---CUT--- Regards, Gilles >> [...] - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] Detecting infinite loops in JEXL Scripts
Ho: You should look at using JexlPermission which are probably easier and more powerful than the JexlSandbox to enforce application security. For loops, since there is no obvious guaranteed way to ensure they finish, the possible route is to let scripts run in threads and cancel them if they run for too long. (see ScriptCallableTest#testFuture). Cheers On 2023/08/07 10:59:58 Aditya Kumar1 wrote: > Hi, > > I am planning to use JEXL library in my SaaS based product to run > JavaScripts/JexlScripts(I understand, Jexl is not exactly java script). > > Since, security is one of the most important requirements for any SaaS based > product, I am going to use Jexl Sandbox and Jexl Features to secure my > application. I see that in Jexl features, we have a way to turn off the loops > but for my requirement, I need to enable loops in the scripts. > > Is there a way detect infinite loops incase someone write's such an > expression which turn into infinite loop during evaluation? Also, someone can > also try to sabotage our application by running infinite loops. Is there a > way to detect and avoid such a security issue? > > PS: I would really appreciate if you could let me know any other security > aspects which I need to consider while using JEXL library. > > Thanks, > Aditya > > > — > Aditya Kumar1 > Technology Architect > Precisely.com > > ATTENTION: -The information contained in this message (including any > files transmitted with this message) may contain proprietary, trade secret or > other confidential and/or legally privileged information. Any pricing > information contained in this message or in any files transmitted with this > message is always confidential and cannot be shared with any third parties > without prior written approval from Precisely. This message is intended to be > read only by the individual or entity to whom it is addressed or by their > designee. If the reader of this message is not the intended recipient, you > are on notice that any use, disclosure, copying or distribution of this > message, in any form, is strictly prohibited. If you have received this > message in error, please immediately notify the sender and/or Precisely and > destroy all copies of this message in your possession, custody or control. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Exposing my own/wrapper functions using JEXL
Of course we do. It seems the landing page / detailed example is still not steering users towards the Javadoc which anyhow is not the best media to explain 'how to' (imho). Transforming/extracting 'how to's from the unit tests could be the cheapest way to improve on this area. (As in: how do I integrate my own classes/packages? -or- how do I ensure scripts are readonly and don't modify data?). On 2023/08/07 10:08:59 Gary Gregory wrote: > Do we need better documentation on the site? > > Gary > > On Mon, Aug 7, 2023, 5:45 AM Henri Biestro wrote: > > > Hi; > > JEXL 3.3. has increased default security by restricting permissions to a > > very narrow set of allowed classes. In your case, you need to allow JEXL to > > introspect your package by configuring your permissions. Have a look at > > JexlPermissions javadoc for more explanations. > > On JEXL 3.3, with Java 17, If your test class resides in the 'org.example' > > package, the following code does run without errors. > > ... > > Map funcs = new HashMap(); > > funcs.put("math", new MyMath()); > > JexlPermissions permissions = JexlPermissions.parse("org.example.*"); > > JexlEngine jexl = new > > JexlBuilder().permissions(permissions).namespaces(funcs).create(); > > JexlContext jc = new MapContext(); > > jc.set("pi", Math.PI); > > JexlExpression e = jexl.createExpression("math:cos(pi)"); > > Object result = e.evaluate(jc); > > System.out.println("Result: " + result); > > ... > > > > Cheers > > > > On 2023/08/06 06:54:05 Aditya Kumar1 wrote: > > > Hi, > > > > > > I was trying to expose my own functions using JEXL library. I am trying > > the below example. > > > > > > > > > public static class MyMath { > > > public double cos(final double x) { > > > return Math.cos(x); > > > } > > > } > > > > > > public static void testCustomFunction2() { > > > > > > try { > > > Map funcs = new HashMap(); > > > funcs.put("math", new MyMath()); > > > JexlEngine jexl = new > > JexlBuilder().namespaces(funcs).create(); > > > JexlContext jc = new MapContext(); > > > jc.set("pi", Math.PI); > > > JexlExpression e = jexl.createExpression("math:cos(pi)"); > > > Object result = e.evaluate(jc); > > > System.out.println("Result: " + result); > > > } > > > catch (JexlException e) { > > > Throwable original = e.getCause(); > > > System.out.println(e.getMessage()); > > > original.printStackTrace(); > > > //do something with the original > > > } > > > } > > > > > > which is given at below link: > > > > > https://commons.apache.org/proper/commons-jexl/apidocs/org/apache/commons/jexl3/package-summary.html#usage > > > > > > When I run the above code, I get below exception. > > > > > > org.example.Main.testCustomFunction2:93@1:9 unsolvable function/method > > 'cos(Float)' > > > Exception in thread "main" java.lang.NullPointerException > > >at org.example.Main.testCustomFunction2(Main.java:100) > > >at org.example.Main.main(Main.java:33) > > > > > > Can someone, please help me with this? I think, this is a supported way > > to use custom functions or exposing my own/wrapper functions. I am using > > Java 11 to run the above example. > > > > > > Thanks, > > > Aditya > > > > > > > > > > > > — > > > Aditya Kumar1 > > > Technology Architect > > > Precisely.com > > > > > > ATTENTION: -The information contained in this message (including > > any files transmitted with this message) may contain proprietary, trade > > secret or other confidential and/or legally privileged information. Any > > pricing information contained in this message or in any files transmitted > > with this message is always confidential and cannot be shared with any > > third parties without prior written approval from Precisely. This message > > is intended to be read only by the individual or entity to whom it is > > addressed or by their designee. If the reader of this message is not the > > intended recipient, you are on notice that any use, disclosure, copying or > > distribution of this message, in any form, is strictly prohibited. If you > > have received this message in error, please immediately notify the sender > > and/or Precisely and destroy all copies of this message in your possession, > > custody or control. > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[JEXL] Detecting infinite loops in JEXL Scripts
Hi, I am planning to use JEXL library in my SaaS based product to run JavaScripts/JexlScripts(I understand, Jexl is not exactly java script). Since, security is one of the most important requirements for any SaaS based product, I am going to use Jexl Sandbox and Jexl Features to secure my application. I see that in Jexl features, we have a way to turn off the loops but for my requirement, I need to enable loops in the scripts. Is there a way detect infinite loops incase someone write's such an expression which turn into infinite loop during evaluation? Also, someone can also try to sabotage our application by running infinite loops. Is there a way to detect and avoid such a security issue? PS: I would really appreciate if you could let me know any other security aspects which I need to consider while using JEXL library. Thanks, Aditya — Aditya Kumar1 Technology Architect Precisely.com ATTENTION: -The information contained in this message (including any files transmitted with this message) may contain proprietary, trade secret or other confidential and/or legally privileged information. Any pricing information contained in this message or in any files transmitted with this message is always confidential and cannot be shared with any third parties without prior written approval from Precisely. This message is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any use, disclosure, copying or distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Precisely and destroy all copies of this message in your possession, custody or control.
RE: Exposing my own/wrapper functions using JEXL
Awesome. I was not aware of this I didn't find any reference to it. I tried this by adding the permissions in Java 11 and it works perfectly. Thanks Henri! - Aditya Kumar1 Technology Architect Precisely.com -Original Message- From: Henri Biestro Sent: Monday, August 7, 2023 3:16 PM To: dev@commons.apache.org Subject: Re: Exposing my own/wrapper functions using JEXL This message originated Externally. Use proper judgement and caution with attachments, links, or responses. Hi; JEXL 3.3. has increased default security by restricting permissions to a very narrow set of allowed classes. In your case, you need to allow JEXL to introspect your package by configuring your permissions. Have a look at JexlPermissions javadoc for more explanations. On JEXL 3.3, with Java 17, If your test class resides in the 'org.example' package, the following code does run without errors. ... Map funcs = new HashMap(); funcs.put("math", new MyMath()); JexlPermissions permissions = JexlPermissions.parse("org.example.*"); JexlEngine jexl = new JexlBuilder().permissions(permissions).namespaces(funcs).create(); JexlContext jc = new MapContext(); jc.set("pi", Math.PI); JexlExpression e = jexl.createExpression("math:cos(pi)"); Object result = e.evaluate(jc); System.out.println("Result: " + result); ... Cheers On 2023/08/06 06:54:05 Aditya Kumar1 wrote: > Hi, > > I was trying to expose my own functions using JEXL library. I am trying the > below example. > > > public static class MyMath { > public double cos(final double x) { > return Math.cos(x); > } > } > > public static void testCustomFunction2() { > > try { > Map funcs = new HashMap(); > funcs.put("math", new MyMath()); > JexlEngine jexl = new JexlBuilder().namespaces(funcs).create(); > JexlContext jc = new MapContext(); > jc.set("pi", Math.PI); > JexlExpression e = jexl.createExpression("math:cos(pi)"); > Object result = e.evaluate(jc); > System.out.println("Result: " + result); > } > catch (JexlException e) { > Throwable original = e.getCause(); > System.out.println(e.getMessage()); > original.printStackTrace(); > //do something with the original > } > } > > which is given at below link: > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furld > efense.com%2Fv3%2F__https%3A%2F%2Fcommons.apache.org%2Fproper%2Fcommon > s-jexl%2Fapidocs%2Forg%2Fapache%2Fcommons%2Fjexl3%2Fpackage-summary.ht > ml*usage__%3BIw!!I6-MEfEZPA!OVgfmusn_q4uQvS2_BAMfgTG3I2p_DkNlMa4yTTFVn > MVkTMKs_AfnNeWF99zxN7mfaqLlb7fxedWJ1OGmIcm6Q%24&data=05%7C01%7CAditya. > Kumar1%40precisely.com%7C24a01fb9ecc14b90ce4808db972b1d80%7Cc0a2941c29 > 154bcaaa4ce8880dc77f7f%7C0%7C0%7C638269983672897455%7CUnknown%7CTWFpbG > Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0% > 3D%7C3000%7C%7C%7C&sdata=jFSGg97oVtXSb8G9w1RbtOQ%2BkNMJORwrsodydXPJF7k > %3D&reserved=0 > > When I run the above code, I get below exception. > > org.example.Main.testCustomFunction2:93@1:9 unsolvable function/method > 'cos(Float)' > Exception in thread "main" java.lang.NullPointerException >at org.example.Main.testCustomFunction2(Main.java:100) >at org.example.Main.main(Main.java:33) > > Can someone, please help me with this? I think, this is a supported way to > use custom functions or exposing my own/wrapper functions. I am using Java 11 > to run the above example. > > Thanks, > Aditya > > > > - > Aditya Kumar1 > Technology Architect > Precisely.com > > ATTENTION: -The information contained in this message (including any > files transmitted with this message) may contain proprietary, trade secret or > other confidential and/or legally privileged information. Any pricing > information contained in this message or in any files transmitted with this > message is always confidential and cannot be shared with any third parties > without prior written approval from Precisely. This message is intended to be > read only by the individual or entity to whom it is addressed or by their > designee. If the reader of this message is not the intended recipient, you > are on notice that any use, disclosure, copying or distribution of this > message, in any form, is strictly prohibited. If you have received this > message in error, please immediately notify the sender and/or Precisely and > destroy all copies of this message in your possession, custody or control. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mai
Re: [Meta] gitlab error responses to mailing list
At least 2 days ago on a thread called "[commons-lang] Comments on new FunctionUtils / nested lambda feature" Gary On Mon, Aug 7, 2023, 4:47 AM Mark Thomas wrote: > Got the error message. To help me play hunt the subscriber, can anyone > provide information on when this behaviour started? > > Thanks, > > Mark > > > On 07/08/2023 09:44, Mark Thomas wrote: > > ".invalid" is something that the ASF adds to addresses. > > > > See https://infra.apache.org/blog/dmarc_filtering_on_lists_that.html > > > > Hopefully I'll get a similar error message from gitlab in response to > > this. I'll see if I can track down which mailing list subscriber is > > triggering it. > > > > Mark > > > > On 06/08/2023 15:05, Gary Gregory wrote: > >> Ah, right, you're post here... I'm guessing that address is no longer > >> valid > >> or is one of those ".invalid" addresses services like Proton Mail > uses... > >> > >> Gary > >> > >> On Sun, Aug 6, 2023, 10:04 AM Gary Gregory > >> wrote: > >> > >>> I commons dev mailing list gets those. > >>> > >>> Gary > >>> > >>> On Sun, Aug 6, 2023, 9:29 AM Daniel Watson > wrote: > >>> > Does anyone else get gitlab error messages in response to emails > sent to > this list (coming from supp...@cons3rt.com) ? The messages have no > information as to the cause or resolution. Can't find any > documentation > about it on mailing list page. > > >>> > >> > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: Exposing my own/wrapper functions using JEXL
Do we need better documentation on the site? Gary On Mon, Aug 7, 2023, 5:45 AM Henri Biestro wrote: > Hi; > JEXL 3.3. has increased default security by restricting permissions to a > very narrow set of allowed classes. In your case, you need to allow JEXL to > introspect your package by configuring your permissions. Have a look at > JexlPermissions javadoc for more explanations. > On JEXL 3.3, with Java 17, If your test class resides in the 'org.example' > package, the following code does run without errors. > ... > Map funcs = new HashMap(); > funcs.put("math", new MyMath()); > JexlPermissions permissions = JexlPermissions.parse("org.example.*"); > JexlEngine jexl = new > JexlBuilder().permissions(permissions).namespaces(funcs).create(); > JexlContext jc = new MapContext(); > jc.set("pi", Math.PI); > JexlExpression e = jexl.createExpression("math:cos(pi)"); > Object result = e.evaluate(jc); > System.out.println("Result: " + result); > ... > > Cheers > > On 2023/08/06 06:54:05 Aditya Kumar1 wrote: > > Hi, > > > > I was trying to expose my own functions using JEXL library. I am trying > the below example. > > > > > > public static class MyMath { > > public double cos(final double x) { > > return Math.cos(x); > > } > > } > > > > public static void testCustomFunction2() { > > > > try { > > Map funcs = new HashMap(); > > funcs.put("math", new MyMath()); > > JexlEngine jexl = new > JexlBuilder().namespaces(funcs).create(); > > JexlContext jc = new MapContext(); > > jc.set("pi", Math.PI); > > JexlExpression e = jexl.createExpression("math:cos(pi)"); > > Object result = e.evaluate(jc); > > System.out.println("Result: " + result); > > } > > catch (JexlException e) { > > Throwable original = e.getCause(); > > System.out.println(e.getMessage()); > > original.printStackTrace(); > > //do something with the original > > } > > } > > > > which is given at below link: > > > https://commons.apache.org/proper/commons-jexl/apidocs/org/apache/commons/jexl3/package-summary.html#usage > > > > When I run the above code, I get below exception. > > > > org.example.Main.testCustomFunction2:93@1:9 unsolvable function/method > 'cos(Float)' > > Exception in thread "main" java.lang.NullPointerException > >at org.example.Main.testCustomFunction2(Main.java:100) > >at org.example.Main.main(Main.java:33) > > > > Can someone, please help me with this? I think, this is a supported way > to use custom functions or exposing my own/wrapper functions. I am using > Java 11 to run the above example. > > > > Thanks, > > Aditya > > > > > > > > — > > Aditya Kumar1 > > Technology Architect > > Precisely.com > > > > ATTENTION: -The information contained in this message (including > any files transmitted with this message) may contain proprietary, trade > secret or other confidential and/or legally privileged information. Any > pricing information contained in this message or in any files transmitted > with this message is always confidential and cannot be shared with any > third parties without prior written approval from Precisely. This message > is intended to be read only by the individual or entity to whom it is > addressed or by their designee. If the reader of this message is not the > intended recipient, you are on notice that any use, disclosure, copying or > distribution of this message, in any form, is strictly prohibited. If you > have received this message in error, please immediately notify the sender > and/or Precisely and destroy all copies of this message in your possession, > custody or control. > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: Exposing my own/wrapper functions using JEXL
Hi; JEXL 3.3. has increased default security by restricting permissions to a very narrow set of allowed classes. In your case, you need to allow JEXL to introspect your package by configuring your permissions. Have a look at JexlPermissions javadoc for more explanations. On JEXL 3.3, with Java 17, If your test class resides in the 'org.example' package, the following code does run without errors. ... Map funcs = new HashMap(); funcs.put("math", new MyMath()); JexlPermissions permissions = JexlPermissions.parse("org.example.*"); JexlEngine jexl = new JexlBuilder().permissions(permissions).namespaces(funcs).create(); JexlContext jc = new MapContext(); jc.set("pi", Math.PI); JexlExpression e = jexl.createExpression("math:cos(pi)"); Object result = e.evaluate(jc); System.out.println("Result: " + result); ... Cheers On 2023/08/06 06:54:05 Aditya Kumar1 wrote: > Hi, > > I was trying to expose my own functions using JEXL library. I am trying the > below example. > > > public static class MyMath { > public double cos(final double x) { > return Math.cos(x); > } > } > > public static void testCustomFunction2() { > > try { > Map funcs = new HashMap(); > funcs.put("math", new MyMath()); > JexlEngine jexl = new JexlBuilder().namespaces(funcs).create(); > JexlContext jc = new MapContext(); > jc.set("pi", Math.PI); > JexlExpression e = jexl.createExpression("math:cos(pi)"); > Object result = e.evaluate(jc); > System.out.println("Result: " + result); > } > catch (JexlException e) { > Throwable original = e.getCause(); > System.out.println(e.getMessage()); > original.printStackTrace(); > //do something with the original > } > } > > which is given at below link: > https://commons.apache.org/proper/commons-jexl/apidocs/org/apache/commons/jexl3/package-summary.html#usage > > When I run the above code, I get below exception. > > org.example.Main.testCustomFunction2:93@1:9 unsolvable function/method > 'cos(Float)' > Exception in thread "main" java.lang.NullPointerException >at org.example.Main.testCustomFunction2(Main.java:100) >at org.example.Main.main(Main.java:33) > > Can someone, please help me with this? I think, this is a supported way to > use custom functions or exposing my own/wrapper functions. I am using Java 11 > to run the above example. > > Thanks, > Aditya > > > > — > Aditya Kumar1 > Technology Architect > Precisely.com > > ATTENTION: -The information contained in this message (including any > files transmitted with this message) may contain proprietary, trade secret or > other confidential and/or legally privileged information. Any pricing > information contained in this message or in any files transmitted with this > message is always confidential and cannot be shared with any third parties > without prior written approval from Precisely. This message is intended to be > read only by the individual or entity to whom it is addressed or by their > designee. If the reader of this message is not the intended recipient, you > are on notice that any use, disclosure, copying or distribution of this > message, in any form, is strictly prohibited. If you have received this > message in error, please immediately notify the sender and/or Precisely and > destroy all copies of this message in your possession, custody or control. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [Meta] gitlab error responses to mailing list
Got the error message. To help me play hunt the subscriber, can anyone provide information on when this behaviour started? Thanks, Mark On 07/08/2023 09:44, Mark Thomas wrote: ".invalid" is something that the ASF adds to addresses. See https://infra.apache.org/blog/dmarc_filtering_on_lists_that.html Hopefully I'll get a similar error message from gitlab in response to this. I'll see if I can track down which mailing list subscriber is triggering it. Mark On 06/08/2023 15:05, Gary Gregory wrote: Ah, right, you're post here... I'm guessing that address is no longer valid or is one of those ".invalid" addresses services like Proton Mail uses... Gary On Sun, Aug 6, 2023, 10:04 AM Gary Gregory wrote: I commons dev mailing list gets those. Gary On Sun, Aug 6, 2023, 9:29 AM Daniel Watson wrote: Does anyone else get gitlab error messages in response to emails sent to this list (coming from supp...@cons3rt.com) ? The messages have no information as to the cause or resolution. Can't find any documentation about it on mailing list page. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [Meta] gitlab error responses to mailing list
".invalid" is something that the ASF adds to addresses. See https://infra.apache.org/blog/dmarc_filtering_on_lists_that.html Hopefully I'll get a similar error message from gitlab in response to this. I'll see if I can track down which mailing list subscriber is triggering it. Mark On 06/08/2023 15:05, Gary Gregory wrote: Ah, right, you're post here... I'm guessing that address is no longer valid or is one of those ".invalid" addresses services like Proton Mail uses... Gary On Sun, Aug 6, 2023, 10:04 AM Gary Gregory wrote: I commons dev mailing list gets those. Gary On Sun, Aug 6, 2023, 9:29 AM Daniel Watson wrote: Does anyone else get gitlab error messages in response to emails sent to this list (coming from supp...@cons3rt.com) ? The messages have no information as to the cause or resolution. Can't find any documentation about it on mailing list page. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org