Thanks, Henri, for a quick reply. Really appreciate it. - Aditya Kumar1 Technology Architect Precisely.com
-----Original Message----- From: Henri Biestro <hen...@apache.org> Sent: Monday, August 7, 2023 5:09 PM To: dev@commons.apache.org Subject: Re: [JEXL] Detecting infinite loops in JEXL Scripts This message originated Externally. Use proper judgement and caution with attachments, links, or responses. Ho: You should look at using JexlPermission which are probably easier and more powerful than the JexlSandbox to enforce application security. For loops, since there is no obvious guaranteed way to ensure they finish, the possible route is to let scripts run in threads and cancel them if they run for too long. (see ScriptCallableTest#testFuture). Cheers On 2023/08/07 10:59:58 Aditya Kumar1 wrote: > Hi, > > I am planning to use JEXL library in my SaaS based product to run > JavaScripts/JexlScripts(I understand, Jexl is not exactly java script). > > Since, security is one of the most important requirements for any SaaS based > product, I am going to use Jexl Sandbox and Jexl Features to secure my > application. I see that in Jexl features, we have a way to turn off the loops > but for my requirement, I need to enable loops in the scripts. > > Is there a way detect infinite loops incase someone write's such an > expression which turn into infinite loop during evaluation? Also, someone can > also try to sabotage our application by running infinite loops. Is there a > way to detect and avoid such a security issue? > > PS: I would really appreciate if you could let me know any other security > aspects which I need to consider while using JEXL library. > > Thanks, > Aditya > > > — > Aditya Kumar1 > Technology Architect > Precisely.com > > ATTENTION: -----The information contained in this message (including any > files transmitted with this message) may contain proprietary, trade secret or > other confidential and/or legally privileged information. Any pricing > information contained in this message or in any files transmitted with this > message is always confidential and cannot be shared with any third parties > without prior written approval from Precisely. This message is intended to be > read only by the individual or entity to whom it is addressed or by their > designee. If the reader of this message is not the intended recipient, you > are on notice that any use, disclosure, copying or distribution of this > message, in any form, is strictly prohibited. If you have received this > message in error, please immediately notify the sender and/or Precisely and > destroy all copies of this message in your possession, custody or control. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
