Fork me on GitHub
#clara
<
2021-10-09
>
Robert Elliot11:10:47

I’ve been looking at remove-ns and load-file as suggested in https://github.com/cerner/clara-rules/issues/40 for allowing clients to write rules - I’m worried though that this is very insecure, as both load-file and triggering the rules can execute arbitrary code. Anyone solved this already? Using a security manager? (This is the context behind this thread: https://clojurians.slack.com/archives/C053AK3F9/p1633691822450600)

Robert Elliot11:10:31

We might define a DSL, would perhaps be a simpler way to make it hot reload without running untrusted code.

mikerod16:10:30

@robert511 rules and query constructs can be directly passed in a collection to make a session

mikerod16:10:17

It doesn’t have to invoke ns or files at all. So if you could somehow work that in. It’d like be a bit safer. Although the if you use the built in DSL macros there perhaps still could be risk of unsafe code getting in. Not as likely though.

mikerod16:10:50

You could also make any sort of DSL layer you wanted and just conform to Clara rule and query structure then pass that to session creation.