New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Load templates dynamically from a database #170
Comments
You could make a custom implementation of the |
@edward3h thanks, I've checked the source code more thoroughly and |
@edward3h I've implemented simple POC with custom But I have troubles running my POC as a docker container inside K8s because generated classes couldn't be compiled, e.g.
Also it complains on my custom params (classes) inside templates. And when I execute request one more time I can see
But I can see Some technical details about my setup:
I'm wondering if |
It looks like the compiler doesn't have the correct classpath at the point it is trying to compile the template. It should be including the It's unlikely to be related to Docker. It could be worth trying with |
I definitely missed
I still can see the error I mentioned above. It's a really weird behaviour and it's not clear how to fix it. |
How is your |
@casid thanks for your help. @Configuration
public class TemplateConfiguration {
@Bean
public TemplateEngine templateEngine(CodeResolver codeResolver) {
return TemplateEngine.create(codeResolver, ContentType.Plain);
}
} Where I inject my custom |
Can you check what classloaders are used? There was a similar issue with Spring Boot before: #70 Just thought I share some concerns about your setup:
|
@casid thanks, I understand concerns but still I'd like to have POC to meet different requirements. These classloaders are used:
As a result of System.out.println(Thread.currentThread().getContextClassLoader());
System.out.println(getClass().getClassLoader()); Where java application inside docker container is started as
|
@casid classloader was definitely a problem, so once I passed the correct loader it started to work. BTW could you please share more details about RCE attack that is possible with |
Since jte uses plain Java for expressions, pretty much anything is possible. For example, to end the application, whenever the malicious template is rendered: Or, encrypt all files on the filesystem or tables in the database, that the application has access to. |
@casid thanks for sharing more details on that. My main requirement is to be able to load different versions of a template at runtime. Also templates will not be populated by the end-users but only by developers through the automated CI/CD pipeline. With great power comes great responsibility, I mean |
Are developers committing those templates to the version control of the project? If so, you could only make the decision what template to use configurable, not the templates themselves. It's e.g. easy to check feature toggles in jte templates and do stuff differently. In case you want to be able to do all this without an app deployment, you could also precompile all templates on your CI/CD and then upload the compiled templates and then replace the template engine (through And yes, if you plan to do it through the database, I'd consider using a dumber template engine where remote code execution is impossible (if that exists). I believe being able to execute arbitrary e.g. Handlebars templates on a system could be quite dangerous as well. |
@casid yes, the idea is store templates in git repo and introduce a new template version each time there's a change.
Interesting idea, I was thinking about that as well but then I'm wondering how I can resolve template version?
Also I'm wondering if it's possible to load generated templates from external system, e.g. |
I'm not sure what you're building, but I would just deploy the precompiled templates with the application and call it a day. Like, you probably don't store the Java files on an external system and load them dynamically, right? And once and a while you're probably deleting old templates, since the whole data (Java classes) populating those templates aren't up to date anymore, too. |
I just noticed, that I didn't really answer your question.
You can use the version in your template name before you call render:
You could download the precompiled class files from there to your server and then create a As said before, this setup seems a bit wild and potentially dangerous (side loading executable code from DB or AWS). In that case an interpreted and slower template language that doesn't need to be compiled might be the better choice. I still don't understand why you need to be able to produce results for old clients though. The beautiful thing about websites is that you deploy them and everything is up-to-date. |
@casid thank you for your answers, they're really helpful. |
I really like
jte
syntax and its simplicity, but I'm wondering ifjte
is suitable for the following use cases:The text was updated successfully, but these errors were encountered: