Small AWS Lambda that executes Groovy in a sandboxed environment
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
gradle/wrapper Added README Dec 9, 2016
src Added README Dec 9, 2016
.gitignore
README.adoc Added README Dec 9, 2016
build.gradle Initial commit Dec 9, 2016
gradlew
gradlew.bat Initial commit Dec 9, 2016
settings.gradle Initial commit Dec 9, 2016

README.adoc

Groovy Sandbox AWS Lambda

This is the AWS Lambda to execute abitrary Groovy Script code.

The main purpose is to provide a script execution endpoint for a Slack Groovy Bot.

To prevent malicious use, it utilizes the Groovy Sandbox.

It attempts to prevent access to:

  • instantiating packages outside java., javax. groovy. and spock.

  • accessing the Groovy metaClass

  • Running methods like System.exit(), System.getProperty('key'), System.setProperty('key','val'), Runtime.getCurrentRuntime(), "ls".execute() and more.

  • Prevent file system access via File, URL or URI methods

  • Prevent the usage of @Grab annotations

If other attack points can be found, please raise an issue.

Note: Since this will run in an AWS Lambda, the damage that can be done is limited, but reuse of the Lambda instance can occur, thus the attempted lock-down. See https://aws.amazon.com/blogs/compute/container-reuse-in-lambda/ for information.

Writing and deploying Groovy Code to AWS Lambda was heavily inspired by this article https://medium.com/@benorama/how-to-build-a-microservice-with-aws-lambda-in-groovy-4f7384c3b804#.8y03l29t8 by https://github.com/benorama