eval is safe

[GlauberF]

what is the difference between eval from Jexl, compared to eval from javascript? Second question, is it really safe?

[TomFrost]

Hi Glauber,

The only thing Jexl.eval and Javascript's native eval have in common is the name -- they do two very different things. Javascript's eval() executes javascript code. Jexl parses and evaluates Jexl expressions -- which, while the syntax has many similarities to Javascript, is not actually Javascript.

The safety comes from the fact that, even if you allow an end-user to supply the expression to be evaluated, they will be unable to run code that you do not explicitly supply to Jexl in advance. Even if you add a Javascript object to your context argument, functions it contains cannot be invoked from a Jexl expression. The only code that will run outside of Jexl itself is code that you've added by supplying your own transform function, or binary/unary operators.

So, in short: The safety of Jexl is determined by the custom transforms and operators you add to it. I'd advise strongly against giving Jexl expressions access to functions that can write or modify records in any way, or load data that should be restricted to certain people -- especially if you are processing expressions that users can submit directly, or that might be stored in a file or database that an attacker could try to access.