MVEL: how to keep java.lang.* classes out of expressions?

Question

I'm trying to sandbox MVEL expression evaluation. Unfortunately, by default MVEL includes all java.lang.* classes in the expression language, so a user could call "Runtime.exit()" and kill the whole system.

How can I exclude all classes that I haven't explicitly added with addImport()?

I haven't been able to make heads or tails of the VariableResolvers.

score 3 · Accepted Answer · answered Apr 17 '13 at 20:46

3

As far as I known this is not supported.

I faced this need some time ago on a project of my company. We had to change MVEL quite a bit to introduce a way to configure a custom policy to control access to types and methods. The problem is that you can also access any class by its fully qualified name, so it was not just a matter of removing the default imports. Unfortunately I don't own the code to make it available.

answered Apr 17 '13 at 20:46

Danilo Ferreira

70
1
7

1

This is too bad. I really like MVEL. – ccleve Apr 17 '13 at 20:50

score 1 · Answer 2 · edited May 11 '15 at 15:56

1

ParserContext ctx = new ParserContext();

ctx.addImport("System", String.class);
ctx.addImport("Runtime", String.class);

edited May 11 '15 at 15:56

Shaunak D

20,588
10
46
79

answered May 11 '15 at 15:01

user4887909

11
1

Your answer is in danger of deletion. You really need to explain what's happening here and how this answers the question posed. – David Hoelzer May 11 '15 at 19:25

score 0 · Answer 3 · answered Apr 18 '13 at 14:21

0

Have you tried using AspectJ to constrain these calls from MVEL?

answered Apr 18 '13 at 14:21

Adrian Herscu

738
1
6
19

Not sure how this helps? Implements some kind of security sandbox? – ccleve Apr 18 '13 at 16:48

MVEL: how to keep java.lang.* classes out of expressions?

3 Answers3