我正在开发一个允许用户执行自定义 Scala 代码的在线环境(将其视为持续集成).但是,我想阻止他们做某些事情,尤其是文件 I/O 和网络调用.我将允许使用我将公开的库来限制这些函数的形式.
I'm working on an online environment that will allow users to execute custom Scala code (think of it like continuous integration). However, I want to prevent them from doing certain things, most notably file I/O and network calls. I will allow limited forms of these functions with a library that I will expose.
简单的方法是将 /^import.*$/ 替换为空字符串.然而,邪恶的人有很多方法可以绕过这个问题,比如类加载器等.我希望用户只能访问预选的导入白名单",而不必依赖(可能不完整的)黑名单.
The naive approach would be to simply replace /^import.*$/ with the empty string. However, there are plenty of ways for nefarious folks to get around that, with classloaders and such. I want the users to only have access to a preselected "whitelist" of imports rather than having to rely on a (possibly incomplete) blacklist.
我还没有决定是要在底层操作系统上用他们的文件调用 scalac,还是使用 IMain 来解释文本.显然,如果一种方法使我想要的结果可行,我会采用那种方法.加分,如果您的答案包括
I still haven't decided whether I'm going to call scalac on the underlying OS with their files, or whether to use IMain to interpret the text. Obviously if one method makes my desired result feasible, I'll go with that one. Bonus points if your answer includes ways to
如何有效地对用户的代码进行沙箱处理?
推荐答案有两个不同的问题:编译时和运行时沙盒.
There are two different issues: compile-time and run-time sandboxing.
运行时沙箱可以通过使用 Java 安全性和类加载器限制来实现 - 参见例如如何创建 Java 沙箱? 并且,更要注意的是,我可以信任 Java SecurityManager 沙箱吗?.关于这个主题还有很多!
Runtime sandboxing can be accomplished by using Java Security and classloader restrictions - see e.g. How do I create a Java sandbox? and, more cautionary, Can I trust Java SecurityManager sandbox?. There's a lot more out there on this topic!
对于 Scala 编译时沙箱,我必须推迟.不过,我想知道你是否需要它.如果尝试使用被禁止的 API 的只有那些试图闯入您系统的人,那么没有理由通过提供编译时检查来简化他们的工作.
For Scala compile-time sandboxing, I have to defer. However, I wonder whether you need it. If the only people who try to use forbidden API's are those who are trying to break into your system, there's no reason to make their job easier by providing compile-time checking.
更多推荐
防止在 Scala 中导入未经授权的类
发布评论