Hello All,
Sleep 2.1-b24 is released. This release adds better support for
cyclical data structures. Now you can println a hash or array that
reference themselves in a circular fashion without crashing Sleep.
$ java -jar sleep.jar
>> Welcome to the Sleep scripting language
> interact
>> Welcome to interactive mode.
%foo = %(a => "apple");
%foo["f"] = %foo;
%bar = %(d => "dog", ff => %foo);
%foo["b"] = %bar;
println(%foo);
.
%(a => 'apple', f => %0, b => %(d => 'dog', ff => %0))
This makes hashes/arrays useful for representing directed graphs and
things like that.
Near and dear to my heart I've also added runtime taint mode support.
Taint mode is a security feature to educate scripters when they are
calling sensitive functions with unsanitized external data. Wow, that
is a mouth full. Basically all data received from external sources (I/
O functions, @ARGV, and other "tainter" functions) is considered
tainted. Any data derived from tainted data is considered tainted as
well. Sensitive functions include eval, expr, compile_closure,
include, etc. Any attempt to call a sensitive function with a tainted
value will result in
a runtime warning when taint mode is enabled.
taint.sl:
$script = 'println(' . @ARGV[0] . ');';
eval($script);
running taint.sl:
$ java -jar sleep.jar taint.sl "2 + 2"
4
$ java -Dsleep.taint=true -jar sleep.jar taint.sl "2 + 2"
Warning: Insecure &eval: 'println(2 + 2);' is tainted at taint.sl:2
http://sleep.dashnine.org/manual/hoes.html#taint
I've also created an API for BridgeWriters to support taint mode in
their extensions. Its incredibly easy to use. For example to mark a
function as sensitive and have it throw an error when tainted data is
passed to it:
void scriptLoaded(ScriptInstance script)
{
Function dbquery = new DBQueryFunction();
script.getScriptEnvironment().getEnvironment().put("&dbquery",
TaintUtils.Sensitive(dbquery));
...
http://sleep.dashnine.org/docs/api/index.html?sleep/taint/TaintUtils....
That's it! Taint mode is disabled by default and the whole feature
was designed to have 0 performance impact when disabled. When enabled
overhead for function calls, object expressions, parsed literals, and
operations is increased by about 15%. Other operations in the
interpreter are unimpacted. (Lets see here, with Amdahl's Law that
means the total performance impact is, err, negligible).
Taint mode provides one extra bit of good news. The parser/code
generator pipeline has been refactored to support the use of a factory
for generating Sleep's interpreted code. Taint mode installs a
factory that wraps certain atomic steps in wrappers that check the
arguments for tainted values and subsequently taint the return value
if necessary. This refactored API opens Sleep up for more
customization.
I've also posted an updated version of the Sleep 2.1 manual. I've
pulled the link to the Sleep Language Reference from the website. As
soon as I finish the chapter on Sleep Integration I will pull the
Sleep Developer's Guide link as well.
Change log is available at http://sleep.dashnine.org/changelog.html
Download Sleep 2.1-b24 at http://sleep.dashnine.org/download.html
That's about it. Enjoy the beta.
-- Raphael
|
