PebbleTemplates / pebble

Java Template Engine
https://pebbletemplates.io
BSD 3-Clause "New" or "Revised" License
1.1k stars 168 forks source link

add maxLoopIterationNumber #672

Closed freshchen closed 8 months ago

freshchen commented 8 months ago

Prevent malicious templates from draining CPU resources

ebussieres commented 8 months ago

I don't think we should add this kind of property in core engine. Why do you need this ?

It's developer responsability to protect templates access.

If your templates are shipped with your application code by your developers, your developers can't do more harm this way than what they can already do with malicious code in their Java code.

freshchen commented 8 months ago

Our scenario is LLM Agent. In order to make it more convenient for everyone, try to combine business and LLM capabilities. we provides SaaS services.

Users complete simple processing of registered API tool's result through the template engine. So the template content is provided by the customer's developer or independent software developer

We don’t want their templates to seriously affect the stability of our SaaS service, and we don’t want to introduce complex architectures like FaaS for simple operations.

ebussieres commented 8 months ago

If you don't control your templates, you're gonna be at risk. Please read this : https://github.com/PebbleTemplates/pebble/issues/625

freshchen commented 8 months ago

Thanks for notifying this very useful issue.

In addition, can we refer to the groovy sandbox on the basis of MethodAccessValidator to conduct security risk control on the entire execution process of the template.

Personally, I prefer the implementation of whitelisting.