Menu
I'm trying to sandbox MVEL expression evaluation. Unfortunately, by default MVEL includes all java.lang.* classes in the expression language, so a user could call "Runtime.exit()" and kill the whole system.
How can I exclude all classes that I haven't explicitly added with addImport()?
I haven't been able to make heads or tails of the VariableResolvers.
965
As far as I known this is not supported.
I faced this need some time ago on a project of my company. We had to change MVEL quite a bit to introduce a way to configure a custom policy to control access to types and methods. The problem is that you can also access any class by its fully qualified name, so it was not just a matter of removing the default imports. Unfortunately I don't own the code to make it available.
130
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
