Menu
We are attempting to provide scriptable elements with in an "enterprisy" product. We would like to use groovy but we are having difficulty securing very basic things.
For example, we would like to prevent a client from simply going
Class.forName("my.company.internal.SecruityTools").runAsAwesome(...)
We've installed a security manager with a policy that only allows accesDeclaredMembers and have overwritten the checkPackageAccess method and only allow white listed packages. Unfortunately, the default classLoader chain appears to just bypass this, and load the class any how.
It would seem like this is a fairly common / discussed problem, but I cannot for the life of me find a library or even a good blog post on how to lock down untrusted scripts with in the context of a much greater application.
Has any one done this succesfully? Am I missing some fairly obvious posts / concepts? Is there already a solid library for this? Maybe Groovy.tinFoilHatMode(true)?
434
Take a look at the Groovy Sandbox. You can use it to stop things like System.exit(0) or new File(“/etc/passwd”).
94
Have a look at the java-sandbox. There is also a tutorial of how to use it with groovy: http://blog.datenwerke.net/2013/06/sandboxing-groovy-with-java-sandbox.html
2
answered Nov 10 '22 15:11
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
