RE: [scala-user] ANNOUNCE: ScalaScriptEngine 1.1.0 released with

85 Aufrufe
Direkt zur ersten ungelesenen Nachricht

Haoyi Li

ungelesen,
24.08.2012, 21:14:0524.08.12
an Nils Kilden-Pedersen, Kostas kougios, scala...@googlegroups.com
eval(scala code) capability
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=20cf303640b390ecf704c80c1662

--20cf303640b390ecf704c80c1662
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

I looked through the google code page and didnt see anything about
security or sandboxing, which imho is one of the #1 priorities with
scripts.

Does it provide anything on top of the java security managers? E.g. It
would be nice to strictly limit access to a set of pre-defined
variables the script can work with, preventing a script from
side-effecting all over the place. Things that Jvm/process security
policies are too coarse grained for.
From: Nils Kilden-Pedersen
Sent: 8/24/2012 8:22 PM
To: Kostas kougios
Cc: scala...@googlegroups.com
Subject: Re: [scala-user] ANNOUNCE: ScalaScriptEngine 1.1.0 released
with eval(scala code) capability
Doesn't look like it implements JSR-223. Any reason for that?

On Fri, Aug 24, 2012 at 7:04 PM, Kostas kougios wrote:

> Hi,
>
> I am happy to announce the 1.1.0 version of ScalaScriptEngine, the
> Scala library that allows dynamic evaluation of Scala code.
>
> 1.1.0 adds eval() capability to the library,i.e.
>
> // creates a factory for instantiating a function (Float, Double) => Double
> // as (i1:Float,i2:Double)=>i1+i2
> val ect = EvalCode[(Float, Double) => Double]("i1" :: "i2" :: Nil, "i1 +
> i2")
>
> // create a new instance of the function
> val x = ect.newInstance
>
> // and apply it
> x(12.5f, 2.5) should be === 15.0
>
>
> Regards,
>
> Kostas
>
>

--20cf303640b390ecf704c80c1662
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html><head><meta content=3D"text/html; charset=3Dutf-8" http-equiv=3D"Cont=
ent-Type"></head><body><div><div style=3D"font-family: Calibri,sans-serif; =
font-size: 11pt;">I looked through the google code page and didnt see anyth=
ing about security or sandboxing, which imho is one of the #1 priorities wi=
th scripts. <br><br>Does it provide anything on top of the java security ma=
nagers? E.g. It would be nice to strictly limit access to a set of pre-defi=
ned variables the script can work with, preventing a script from side-effec=
ting all over the place. Things that Jvm/process security policies are too =
coarse grained for.<br></div></div><hr><span style=3D"font-family: Tahoma,s=
ans-serif; font-size: 10pt; font-weight: bold;">From: </span><span style=3D=
"font-family: Tahoma,sans-serif; font-size: 10pt;">Nils Kilden-Pedersen</sp=
an><br><span style=3D"font-family: Tahoma,sans-serif; font-size: 10pt; font=
-weight: bold;">Sent: </span><span style=3D"font-family: Tahoma,sans-serif;=
font-size: 10pt;">8/24/2012 8:22 PM</span><br><span style=3D"font-family: =
Tahoma,sans-serif; font-size: 10pt; font-weight: bold;">To: </span><span st=
yle=3D"font-family: Tahoma,sans-serif; font-size: 10pt;">Kostas kougios</sp=
an><br><span style=3D"font-family: Tahoma,sans-serif; font-size: 10pt; font=
-weight: bold;">Cc: </span><span style=3D"font-family: Tahoma,sans-serif; f=
ont-size: 10pt;">scala...@googlegroups.com</span><br><span style=3D"font-=
family: Tahoma,sans-serif; font-size: 10pt; font-weight: bold;">Subject: </=
span><span style=3D"font-family: Tahoma,sans-serif; font-size: 10pt;">Re: [=
scala-user] ANNOUNCE: ScalaScriptEngine 1.1.0 released with eval(scala code=
) capability</span><br><br></body></html>Doesn&#39;t look like it implement=
s=C2=A0JSR-223. Any reason for that?<br><br><div class=3D"gmail_quote">On F=
ri, Aug 24, 2012 at 7:04 PM, Kostas kougios=C2=A0wrote:<br><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pad=
ding-left:1ex">

Hi,<br><br>=C2=A0=C2=A0 I am happy to announce the 1.1.0 version of ScalaSc=
riptEngine, the Scala library that allows dynamic evaluation of Scala code.=
<br><br>1.1.0 adds eval() capability to the library,i.e.<br><br>// creates=
a factory for instantiating a function (Float, Double) =3D&gt; Double<br>

// as (i1:Float,i2:Double)=3D&gt;i1+i2<br>val ect =3D EvalCode[(Float, Doub=
le) =3D&gt; Double](&quot;i1&quot; :: &quot;i2&quot; :: Nil, &quot;i1 + i2&=
quot;)<br><br>// create a new instance of the function<br>val x =3D ect.new=
Instance<br>

<br>// and apply it<br>x(12.5f, 2.5) should be =3D=3D=3D 15.0<br><br><br>Re=
gards,<br><br>Kostas<br><br></blockquote></div><br>

--20cf303640b390ecf704c80c1662--

Konstantinos Kougios

ungelesen,
25.08.2012, 06:37:1825.08.12
an Haoyi Li, Nils Kilden-Pedersen, scala...@googlegroups.com
Hi Haoyi, no, it doesn't provide anything yet. It would be interesting
to add security capabilities. I will need to do some research regarding
my options, security managers, stopping bad behaving scripts etc

I.e. how do you stop a script from

new java.io.File("/tmp").delete ?

or how do you stop it from

for(i<0 to 1000000000) yield "crash cpu , crash memory "+i ?

I can limit the access to classes but can I limit it's memory and cpu
usage?

Anyone who knows how, please let me know.

Razvan Cojocaru

ungelesen,
07.09.2012, 15:21:4407.09.12
an Konstantinos Kougios, Haoyi Li, Nils Kilden-Pedersen, scala...@googlegroups.com
The scripster already addreses all these issues.

https://github.com/razie/scripster

Time- It will allocate a given amount of time to each request
https://github.com/razie/scripster/blob/master/src/main/scala/razie/scripste
r/Scripster.scala#L129 some trickery involved, but it works fine, see the
unit tests
https://github.com/razie/scripster/blob/master/src/test/scala/razie/scripste
r/test/ScalaScriptTest.scala#L101

Permissions - very rigorous java permissions - your example produces this
error: "Error: access denied (java.io.FilePermission /tmp delete)"

Restricted values - yes, it uses the notion of session and context - a
context can be pre-populated with certain values and that's all they can
access.

Cheers,
Razie
> an>font=
> -weight: bold;">Sent: </span><span style=3D"font-family:
Tahoma,sans-serif;=
> font-size: 10pt;">8/24/2012 8:22 PM</span><br><span
> style=3D"font-family: = Tahoma,sans-serif; font-size: 10pt;
> font-weight: bold;">To: </span><span st=
> yle=3D"font-family: Tahoma,sans-serif; font-size: 10pt;">Kostas
> kougios</sp=
> an><br><span style=3D"font-family: Tahoma,sans-serif; font-size: 10pt;
> an>font=
> -weight: bold;">Cc: </span><span style=3D"font-family:
> Tahoma,sans-serif; f=
> ont-size: 10pt;">scala...@googlegroups.com</span><br><span
> style=3D"font-=
> family: Tahoma,sans-serif; font-size: 10pt; font-weight:
> bold;">Subject: </=
> span><span style=3D"font-family: Tahoma,sans-serif; font-size:
> span>10pt;">Re: [=

Kostas kougios

ungelesen,
16.10.2012, 18:16:4216.10.12
an scala...@googlegroups.com, Nils Kilden-Pedersen, Kostas kougios
From 1.2.0 the library now supports both SecurityManager  (Sandbox) and extra classloading security) : http://code.google.com/p/scalascriptengine/
Allen antworten
Antwort an Autor
Weiterleiten
0 neue Nachrichten