[logback-dev] [JIRA] Created: (LBCLASSIC-294) <if> requires Janino, which is considered harmful

Joachim Durchholz (JIRA) noreply-jira at qos.ch
Fri Sep 9 12:20:16 CEST 2011 

<if> requires Janino, which is considered harmful
-------------------------------------------------

                 Key: LBCLASSIC-294
                 URL: http://jira.qos.ch/browse/LBCLASSIC-294
             Project: logback-classic
          Issue Type: Improvement
          Components: joran
    Affects Versions: 0.9.29
         Environment: (Assuming 0.9.29 is the currently released version)
            Reporter: Joachim Durchholz
            Assignee: Logback dev list
            Priority: Blocker


More on Janino below, here's the proposal:

Have a variant of <if>, namely <if property="property name">.
If the property does not exist or is false, use the <else> part, otherwise, use the <then> part.

Problems with Janino:

1) Bloat. A footprint of 1 megabyte is amazingly small for an almost full Java compiler, but it still more than doubles the footprint for logging.

2) Reliability. If the logging configuration is user editable, they might add a Java expression that calls arbitrary internal APIs.
I am aware that http://logback.qos.ch/manual/configuration.html#conditional claims that the generated code is sandboxed ("only context properties or system properties are accessible"). However, sandboxes require full security audits. Janino would require a security audit. I doubt that there are enough developer resources for this task available; the task could be reduced for Logback by keeping the available API narrow (just a bunch of properties is extremely tight), but I doubt that that is possible for Janino.
Worse, those audits would need to be repeated for every new revision.

3) Security. Expressions that make it outside the sandbox could do any amount of nasty things. Intentionally or not (I can imagine scenarios for both).

These problems do not exist for programmer-defined properties. Only PropertyDefiner descendants can be called from the configuration, and these are statically checkable in source. There is no need to worry about expressions that might try to call arbitrary internal APIs.
(If I wanted to live with that kind of risk I'd be programming in Lisp, dammit!)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the logback-dev mailing list