Java Mailing List Archive

http://www.gg3721.com/

Home » user.groovy »

Re: [groovy-user] Groovy in the Enterprise

Graeme Rocher

2008-08-21

Replies: Find Java Web Hosting

Author LoginPost Reply
On Thu, Aug 21, 2008 at 3:01 PM, Detering Dirk
<Dirk.Detering@(protected):
>> product... In the same category would then maybe be dynamic
>> code injection, where source code is injected. But that is
>> not a problem special to Groovy or special to dynamic
>> languages, that is a problem that is possible for any
>> language with scripting abilities... But in both cases of
>> injection it is crucial to not to have code (being sql or
>> something else) in http requests and to check all data that
>> is given through the user.
>
>
> Jochen, you are mostly arguing with web based scenarios.
> The injection problem can exist with scripting support in
> enterprise applications too.
> Consider scriptlets for business rules in an app's DB, or
> configuration scripts or some DSL scripts started
> dynamically from user space.
>
> As the running engine (Groovy) is not restricted in its
> feature set, it can do anything what the running java
> code can do.
>
> Or am I wrong here?

Whether is an enterprise application or a web application the security
rules to avoid injection attacks are the same. The most important rule
is essentially don't EVER accept code as input from the user unless it
can be sandbox or is secured in a way it can only be authored by
administrators

For example if you had an input box that accepted free text input of
SQL, you are open to a SQL injection attack. If you did the same with
Groovy and accepted input that then used something like
GroovyShell().evaluate(..) then you are equally open to attack.

If you don't do these things then Groovy is no different from Java

Cheers
>
> KR
> Det
>
>
> ***********************************************************************
>
> Die Information in dieser email ist vertraulich und ist ausschliesslich
> fuer den/die benannten Adressaten bestimmt. Ein Zugriff auf diese
> email durch andere Personen als den/die benannten Adressaten ist
> nicht gestattet. Sollten Sie nicht der benannte Adressat sein, loeschen
> Sie bitte diese email.
>
> ***********************************************************************
>
> BITMARCK Software GmbH
> Paul-Klinger-Strasse 15, 45127 Essen
>
> Amtsgericht Essen HRB 20680
> Geschaeftsfuehrer: Frank Krause, Andreas Prenneis
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
>   http://xircles.codehaus.org/manage_email
>
>
>



--
Graeme Rocher
Grails Project Lead
G2One, Inc. Chief Technology Officer
http://www.g2one.com

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

  http://xircles.codehaus.org/manage_email


©2008 gg3721.com - Jax Systems, LLC, U.S.A.