Clj-Sandbox bug?
I am trying to get clj-sandbox to allow def
and defn
.
I didn't have any trouble getting def
working:
(use 'net.licenser.sandbox
'net.licenser.sandbox.tester
'net.licenser.sandbox.matcher)
(def my-tester
(extend-tester secure-tester (whitelist (functio开发者_JAVA百科n-matcher 'def))))
(def my-sandbox
(stringify-sandbox (new-sandbox :tester my-tester)))
(my-sandbox
"(def a (clojure.core/fn a ([b] (inc b))))")
(println (my-sandbox "(a 5)"))
However, defn
is giving me problems. It looks like my code passes the sandbox guidelines, but then fails during execution:
; (macroexpand '(defn y [z] (inc z)))
(my-sandbox
"(def y (.withMeta (clojure.core/fn y ([z] (inc z))) (.meta (var y))))")
; java.lang.SecurityException: Exception in sandboxed code.
Is this a bug, or am I doing something wrong?
clj-sandbox is a bit of a buggy mess. There were some design decisions made that, in the long run, ended up being bad ideas.
Alan Malloy and I wrote a new sandbox library called clojail to replace clj-sandbox in our own projects. I'm not sure there are any projects still using clj-sandbox in production, and it isn't maintained anymore.
Unfortunately, clojail doesn't have the support for def/defn that clj-sandbox has. Meaning, you can allow def/defn, but they wont be sandboxed at all. They can be used to force out of memory errors. http://try-clojure.org doesn't have that problem because it has to have it's own little def/defn sandbox anyways (that's stored in a cookie). You should be able to mostly copy/paste from try-clojure's version if you need this sort of behavior.
In any case, I actually forgot about how def/defn behaves in clj-sandbox, and that's probably why we haven't added it to clojail yet. I'll make an issue for it later and implement it as soon as possible.
Anyways, clojail is the only actively maintained sandboxing library that I know of right now. It's used in sexpbot and try-clojure, and we have a channel for it and other sexpbot-related projects on Freenode. Hop in #sexpbot if you need any help!
精彩评论