Configuring the Graph sandbox
How to configure the Graph sandbox.
DSE Graph has sandbox rules enabled by default to prevent malicious code execution in the JVM
that could harm a DSE instance.
Note: The Graph sandbox is enabled by default in DSE
5.0.11 and later, DSE 5.1.4 and later, and DSE 6.0.0.
Sandbox rules are
defined to both blacklist (disallow execution) and whitelist (allow execution) packages,
superclasses and types. The default sandbox
rules may be overridden in the dse.yaml
file. The sandbox rules are applied in the following order: - blacklist_supers, including all classes that implement or extend the listed items
- blacklist_packages, including all sub-packages
- whitelist_packages, including all sub-packages
- whitelist_types, not including sub-classes, but only the specified type
- whitelist_supers, including all classes that implement or extend the listed items
Important: Two classes
are hard-coded as blacklisted and cannot be whitelisted:
- java.lang.System: All methods other than currentTimeMillis and nanoTime are blocked (blacklisted).
- java.lang.Thread: currentThread().isInterrupted is an allowed method that can return a wrapped thread with toString, and sleep is another allowed method, and all other methods are disallowed.
An example of possible whitelisted and blacklisted items in the
gremlin_server
section of the dse.yaml
file:gremlin_server:
port: 8182
threadPoolWorker: 2
gremlinPool: 0
scriptEngines:
gremlin-groovy:
config:
# sandbox_enabled: false
sandbox_rules:
whitelist_packages:
- org.apache.tinkerpop.gremlin.process
- java.nio
whitelist_types:
- java.lang.String
- java.lang.Boolean
- com.datastax.bdp.graph.spark.SparkSnapshotBuilderImpl
- com.datastax.dse.graph.api.predicates.Search
whitelist_supers:
- groovy.lang.Script
- java.lang.Number
- java.util.Map
- org.apache.tinkerpop.gremlin.process.computer.GraphComputer
blacklist_packages:
- java.io
- org.apache.tinkerpop.gremlin.structure.io
- org.apache.tinkerpop.gremlin.groovy.jsr223
- java.nio.channels
blacklist_supers:
- java.lang.System
- java.io.File
- org.apache.tinkerpop.gremlin.structure.Transaction
The location of
the dse.yaml file depends
on the type of installation:
Installer-Services | /etc/dse/dse.yaml |
Package installations | /etc/dse/dse.yaml |
Installer-No Services | install_location/resources/dse/conf/dse.yaml |
Tarball installations | install_location/resources/dse/conf/dse.yaml |