https://kotlinlang.org logo
Join Slack
Powered by
Is there a way to use kotlin scripts "safely" mean...
# scripting
b
Is there a way to use kotlin scripts "safely" meaning giving access for the users to a DSL without giving anything else. (I'm thinking about a client sending a kts file to a server)
a
The question is what do you mean by "anything else". You can run the script in the sandbox, but otherwise, I do not think it is a good idea. It is better to create a model class from the script and serialize it
e
Yes that’s possible. You control the api of the script using the script classpath (or 
dependencies
), your base class, 
defaultImports
and compiler flags (like 
-no-stdlib
for instance).
đź‘Ť 1
b
I meant any function not defined in my DSL.
e
Whatever you dont want available in your script you can remove from the list of script dependencies (aka the classpath) and the compiler will error out on encountering it.
đź‘Ť 1
I believe kotlin also includes the kotlin-stdlib too so if you do not want functions from there available in your script you can exclude it (via 
compilerOptions
). I haven’t tried this personally but it should work theoretically
b
Well these are fine, I want to mostly avoid abilities to read/write files, access network etc
a
Maybe you could use the Java Security configuration for that or parse the script up front for file access functionality found in the libraries you use.
b
But then it becomes as hard if not harder than having a custom DSL non kotlin based…
e
When you say read or write files and access network, do you mean you want to restrict vanilla java apis like 
File("path/to/file")
and 
URL("path/to/url").openConnection()
?
b
yes
(note that I didn't use kscripts yet, I am surveying if it could be an option for me)
a
won't you have the same challenges with a non-kotlin based DSL?
b
probably yes…
8 Views
Open in Slack
PreviousNext
Powered by