Clj-沙盒错误?
我正在尝试让 clj-sandbox 允许 def 和 定义。
我在使用 def 时没有遇到任何问题:
(use 'net.licenser.sandbox
'net.licenser.sandbox.tester
'net.licenser.sandbox.matcher)
(def my-tester
(extend-tester secure-tester (whitelist (function-matcher 'def))))
(def my-sandbox
(stringify-sandbox (new-sandbox :tester my-tester)))
(my-sandbox
"(def a (clojure.core/fn a ([b] (inc b))))")
(println (my-sandbox "(a 5)"))
但是,defn 给我带来了问题。看起来我的代码通过了沙箱准则,但在执行过程中失败了:
; (macroexpand '(defn y [z] (inc z)))
(my-sandbox
"(def y (.withMeta (clojure.core/fn y ([z] (inc z))) (.meta (var y))))")
; java.lang.SecurityException: Exception in sandboxed code.
这是一个错误,还是我做错了什么?
I am trying to get clj-sandbox to allow def and defn.
I didn't have any trouble getting def working:
(use 'net.licenser.sandbox
'net.licenser.sandbox.tester
'net.licenser.sandbox.matcher)
(def my-tester
(extend-tester secure-tester (whitelist (function-matcher 'def))))
(def my-sandbox
(stringify-sandbox (new-sandbox :tester my-tester)))
(my-sandbox
"(def a (clojure.core/fn a ([b] (inc b))))")
(println (my-sandbox "(a 5)"))
However, defn is giving me problems. It looks like my code passes the sandbox guidelines, but then fails during execution:
; (macroexpand '(defn y [z] (inc z)))
(my-sandbox
"(def y (.withMeta (clojure.core/fn y ([z] (inc z))) (.meta (var y))))")
; java.lang.SecurityException: Exception in sandboxed code.
Is this a bug, or am I doing something wrong?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
clj-sandbox 有点混乱。从长远来看,做出的一些设计决策最终变成了糟糕的想法。
Alan Malloy 和我编写了一个名为 clojail 的新沙箱库来替换我们自己项目中的 clj-sandbox。我不确定是否有任何项目仍在生产中使用 clj-sandbox,并且它不再维护。
不幸的是,clojail 不支持 clj-sandbox 那样的 def/defn。这意味着,您可以允许 def/defn,但它们根本不会被沙箱化。它们可用于强制内存不足错误。 http://try-clojure.org 没有这个问题,因为它必须有自己的小 def/无论如何,defn 沙箱(存储在 cookie 中)。如果您需要这种行为,您应该能够从 try-clojure 的版本 复制/粘贴。
无论如何,我实际上忘记了 def/defn 在 clj-sandbox 中的行为方式,这可能就是我们还没有将其添加到 clojail 的原因。稍后我会提出issue并尽快实施。
不管怎样,clojail 是我目前所知道的唯一一个积极维护的沙箱库。它用于 sexpbot 和 try-clojure,我们在 Freenode 上有一个针对它和其他与 sexpbot 相关项目的频道。如果您需要任何帮助,请加入#sexpbot!
clj-sandbox is a bit of a buggy mess. There were some design decisions made that, in the long run, ended up being bad ideas.
Alan Malloy and I wrote a new sandbox library called clojail to replace clj-sandbox in our own projects. I'm not sure there are any projects still using clj-sandbox in production, and it isn't maintained anymore.
Unfortunately, clojail doesn't have the support for def/defn that clj-sandbox has. Meaning, you can allow def/defn, but they wont be sandboxed at all. They can be used to force out of memory errors. http://try-clojure.org doesn't have that problem because it has to have it's own little def/defn sandbox anyways (that's stored in a cookie). You should be able to mostly copy/paste from try-clojure's version if you need this sort of behavior.
In any case, I actually forgot about how def/defn behaves in clj-sandbox, and that's probably why we haven't added it to clojail yet. I'll make an issue for it later and implement it as soon as possible.
Anyways, clojail is the only actively maintained sandboxing library that I know of right now. It's used in sexpbot and try-clojure, and we have a channel for it and other sexpbot-related projects on Freenode. Hop in #sexpbot if you need any help!