Exposing my own/wrapper functions using JEXL

2023-08-05 Thread Aditya Kumar1 
Hi,

I was trying to expose my own functions using JEXL library. I am trying the 
below example.


public static class MyMath {
public double cos(final double x) {
return Math.cos(x);
}
}

public static void testCustomFunction2() {

try {
Map funcs = new HashMap();
funcs.put("math", new MyMath());
JexlEngine jexl = new JexlBuilder().namespaces(funcs).create();
JexlContext jc = new MapContext();
jc.set("pi", Math.PI);
JexlExpression e = jexl.createExpression("math:cos(pi)");
Object result = e.evaluate(jc);
System.out.println("Result: " + result);
}
catch (JexlException e) {
Throwable original = e.getCause();
System.out.println(e.getMessage());
original.printStackTrace();
//do something with the original
}
}

which is given at below link:
https://commons.apache.org/proper/commons-jexl/apidocs/org/apache/commons/jexl3/package-summary.html#usage

When I run the above code, I get below exception.

org.example.Main.testCustomFunction2:93@1:9 unsolvable function/method 
'cos(Float)'
Exception in thread "main" java.lang.NullPointerException
   at org.example.Main.testCustomFunction2(Main.java:100)
   at org.example.Main.main(Main.java:33)

Can someone, please help me with this? I think, this is a supported way to use 
custom functions or exposing my own/wrapper functions. I am using Java 11 to 
run the above example.

Thanks,
Aditya



—
Aditya Kumar1
Technology Architect
Precisely.com

 ATTENTION: -The information contained in this message (including any files 
transmitted with this message) may contain proprietary, trade secret or other 
confidential and/or legally privileged information. Any pricing information 
contained in this message or in any files transmitted with this message is 
always confidential and cannot be shared with any third parties without prior 
written approval from Precisely. This message is intended to be read only by 
the individual or entity to whom it is addressed or by their designee. If the 
reader of this message is not the intended recipient, you are on notice that 
any use, disclosure, copying or distribution of this message, in any form, is 
strictly prohibited. If you have received this message in error, please 
immediately notify the sender and/or Precisely and destroy all copies of this 
message in your possession, custody or control.

RE: Exposing my own/wrapper functions using JEXL

2023-08-07 Thread Aditya Kumar1 
Awesome. I was not aware of this I didn't find any reference to it. I tried 
this by adding the permissions in Java 11 and it works perfectly.

Thanks Henri!
-
Aditya Kumar1
Technology Architect
Precisely.com

-Original Message-
From: Henri Biestro  
Sent: Monday, August 7, 2023 3:16 PM
To: dev@commons.apache.org
Subject: Re: Exposing my own/wrapper functions using JEXL

This message originated Externally. Use proper judgement and caution with 
attachments, links, or responses.


Hi;
JEXL 3.3. has increased default security by restricting permissions to a very 
narrow set of allowed classes. In your case, you need to allow JEXL to 
introspect your package by configuring your permissions. Have a look at 
JexlPermissions javadoc for more explanations.
On JEXL 3.3, with Java 17, If your test class resides in the 'org.example' 
package, the following code does run without errors.
...
  Map funcs = new HashMap();
  funcs.put("math", new MyMath());
  JexlPermissions permissions = JexlPermissions.parse("org.example.*");
  JexlEngine jexl = new 
JexlBuilder().permissions(permissions).namespaces(funcs).create();
  JexlContext jc = new MapContext();
  jc.set("pi", Math.PI);
  JexlExpression e = jexl.createExpression("math:cos(pi)");
  Object result = e.evaluate(jc);
  System.out.println("Result: " + result); ...

Cheers

On 2023/08/06 06:54:05 Aditya Kumar1 wrote:
> Hi,
>
> I was trying to expose my own functions using JEXL library. I am trying the 
> below example.
>
>
> public static class MyMath {
> public double cos(final double x) {
> return Math.cos(x);
> }
> }
>
> public static void testCustomFunction2() {
>
> try {
> Map funcs = new HashMap();
> funcs.put("math", new MyMath());
> JexlEngine jexl = new JexlBuilder().namespaces(funcs).create();
> JexlContext jc = new MapContext();
> jc.set("pi", Math.PI);
> JexlExpression e = jexl.createExpression("math:cos(pi)");
> Object result = e.evaluate(jc);
> System.out.println("Result: " + result);
> }
> catch (JexlException e) {
> Throwable original = e.getCause();
> System.out.println(e.getMessage());
> original.printStackTrace();
> //do something with the original
> }
> }
>
> which is given at below link:
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furld
> efense.com%2Fv3%2F__https%3A%2F%2Fcommons.apache.org%2Fproper%2Fcommon
> s-jexl%2Fapidocs%2Forg%2Fapache%2Fcommons%2Fjexl3%2Fpackage-summary.ht
> ml*usage__%3BIw!!I6-MEfEZPA!OVgfmusn_q4uQvS2_BAMfgTG3I2p_DkNlMa4yTTFVn
> MVkTMKs_AfnNeWF99zxN7mfaqLlb7fxedWJ1OGmIcm6Q%24&data=05%7C01%7CAditya.
> Kumar1%40precisely.com%7C24a01fb9ecc14b90ce4808db972b1d80%7Cc0a2941c29
> 154bcaaa4ce8880dc77f7f%7C0%7C0%7C638269983672897455%7CUnknown%7CTWFpbG
> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> 3D%7C3000%7C%7C%7C&sdata=jFSGg97oVtXSb8G9w1RbtOQ%2BkNMJORwrsodydXPJF7k
> %3D&reserved=0
>
> When I run the above code, I get below exception.
>
> org.example.Main.testCustomFunction2:93@1:9 unsolvable function/method 
> 'cos(Float)'
> Exception in thread "main" java.lang.NullPointerException
>at org.example.Main.testCustomFunction2(Main.java:100)
>at org.example.Main.main(Main.java:33)
>
> Can someone, please help me with this? I think, this is a supported way to 
> use custom functions or exposing my own/wrapper functions. I am using Java 11 
> to run the above example.
>
> Thanks,
> Aditya
>
>
>
> -
> Aditya Kumar1
> Technology Architect
> Precisely.com
>
>  ATTENTION: -The information contained in this message (including any 
> files transmitted with this message) may contain proprietary, trade secret or 
> other confidential and/or legally privileged information. Any pricing 
> information contained in this message or in any files transmitted with this 
> message is always confidential and cannot be shared with any third parties 
> without prior written approval from Precisely. This message is intended to be 
> read only by the individual or entity to whom it is addressed or by their 
> designee. If the reader of this message is not the intended recipient, you 
> are on notice that any use, disclosure, copying or distribution of this 
> message, in any form, is strictly prohibited. If you have received this 
> message in error, please immediately notify the sender and/or Precisely and 
> destroy all copies of this message in your possession

[JEXL] Detecting infinite loops in JEXL Scripts

2023-08-07 Thread Aditya Kumar1 
Hi,

I am planning to use JEXL library in my SaaS based product to run 
JavaScripts/JexlScripts(I understand, Jexl is not exactly java script).

Since, security is one of the most important requirements for any SaaS based 
product, I am going to use Jexl Sandbox and Jexl Features to secure my 
application. I see that in Jexl features, we have a way to turn off the loops 
but for my requirement, I need to enable loops in the scripts.

Is there a way detect infinite loops incase someone write's such an expression 
which turn into infinite loop during evaluation? Also, someone can also try to 
sabotage our application by running infinite loops. Is there a way to detect 
and avoid such a security issue?

PS: I would really appreciate if you could let me know any other security 
aspects which I need to consider while using JEXL library.

Thanks,
Aditya


—
Aditya Kumar1
Technology Architect
Precisely.com

 ATTENTION: -The information contained in this message (including any files 
transmitted with this message) may contain proprietary, trade secret or other 
confidential and/or legally privileged information. Any pricing information 
contained in this message or in any files transmitted with this message is 
always confidential and cannot be shared with any third parties without prior 
written approval from Precisely. This message is intended to be read only by 
the individual or entity to whom it is addressed or by their designee. If the 
reader of this message is not the intended recipient, you are on notice that 
any use, disclosure, copying or distribution of this message, in any form, is 
strictly prohibited. If you have received this message in error, please 
immediately notify the sender and/or Precisely and destroy all copies of this 
message in your possession, custody or control.

RE: [JEXL] Detecting infinite loops in JEXL Scripts

2023-08-07 Thread Aditya Kumar1 
Thanks, Henri, for a quick reply. Really appreciate it.
-
Aditya Kumar1
Technology Architect
Precisely.com

-Original Message-
From: Henri Biestro  
Sent: Monday, August 7, 2023 5:09 PM
To: dev@commons.apache.org
Subject: Re: [JEXL] Detecting infinite loops in JEXL Scripts

This message originated Externally. Use proper judgement and caution with 
attachments, links, or responses.


Ho:
You should look at using JexlPermission which are probably easier and more 
powerful than the JexlSandbox to enforce application security.
For loops, since there is no obvious guaranteed way to ensure they finish, the 
possible route is to let scripts run in threads and cancel them if they run for 
too long. (see ScriptCallableTest#testFuture).
Cheers

On 2023/08/07 10:59:58 Aditya Kumar1 wrote:
> Hi,
>
> I am planning to use JEXL library in my SaaS based product to run 
> JavaScripts/JexlScripts(I understand, Jexl is not exactly java script).
>
> Since, security is one of the most important requirements for any SaaS based 
> product, I am going to use Jexl Sandbox and Jexl Features to secure my 
> application. I see that in Jexl features, we have a way to turn off the loops 
> but for my requirement, I need to enable loops in the scripts.
>
> Is there a way detect infinite loops incase someone write's such an 
> expression which turn into infinite loop during evaluation? Also, someone can 
> also try to sabotage our application by running infinite loops. Is there a 
> way to detect and avoid such a security issue?
>
> PS: I would really appreciate if you could let me know any other security 
> aspects which I need to consider while using JEXL library.
>
> Thanks,
> Aditya
>
>
> —
> Aditya Kumar1
> Technology Architect
> Precisely.com
>
>  ATTENTION: -The information contained in this message (including any 
> files transmitted with this message) may contain proprietary, trade secret or 
> other confidential and/or legally privileged information. Any pricing 
> information contained in this message or in any files transmitted with this 
> message is always confidential and cannot be shared with any third parties 
> without prior written approval from Precisely. This message is intended to be 
> read only by the individual or entity to whom it is addressed or by their 
> designee. If the reader of this message is not the intended recipient, you 
> are on notice that any use, disclosure, copying or distribution of this 
> message, in any form, is strictly prohibited. If you have received this 
> message in error, please immediately notify the sender and/or Precisely and 
> destroy all copies of this message in your possession, custody or control.

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org