search

gorules / zen

Open-source Business Rules Engine for your Rust, NodeJS, Python or Go applications.
https://gorules.io
MIT License
667 stars 61 forks source link

Calling an external REST function #144

Open jaroslavpsenicka opened 2 months ago

jaroslavpsenicka commented 2 months ago

Hi all, just wonder whether I may call an external REST function from the function block, via fetch.

This may be advantageous for us, where we have a legacy system doing all sort of calculations - when we expose these calculations as REST services, we may orchestrate them using the rule engine. Later on, we may gradually rewrite these into decision tables and functions.

ivanmiletic commented 2 months ago

Hi @jaroslavpsenicka , at the moment no (not yet officially released), but we are working on new type of node called CustomNode, it will allow you to code any node/block and use it during graph evaluation.

Take a look at this comment: https://github.com/gorules/zen/discussions/124#discussioncomment-8976890

Also, in Open Source you can code it, in our BRMS it will be exposed as HTTP/REST integration.

For your use case, GoRules will indeed be capable of orchestrating calls to other services during evaluation.

egandro commented 1 month ago

I hope that will never ever ever happen :)

I consider not blocking fetch/get/fopen/... of the v8 as security risk.

(Probably an opt-in would be ok at compile time or via enviornment variables)

Zen rule files can become a major security risk - als code can download anything from the internet and use eval() to do nasty things.

stefan-gorules commented 1 month ago

We have moved away from V8 to QuickJS a few releases back. And as you've correctly pointed out, there are some security implications that we'd need to consider before enabling such as support.

Our function nodes are currently very limited, and they cannot:

  1. Fetch from external sources
  2. Modify file system
  3. Interact with any system resources whatsoever

It will very likely remain this way or we might make it configurable at some point. What you are able to do now however, is utilise custom nodes in order to achieve fetch functionality inside GoRules ZEN.

EDIT: The security implications are much lower after few quick checks. The only way you can cause issues is if you run:

const someData = await fetch("...");
eval(someData);

And there are obvious reasons why this should never be done in general. Instead, it might make more sense to prevent usage of eval rather than block implementation of fetch in the future.