drools spreadsheet - input validation of spreadsheet rules

StackOverflow https://stackoverflow.com/questions/14327880

Frage

I'm currently investigating designing a business solution that uses the drools decision table spreadsheet format (link to jboss drools documentation). A business user would own and maintain the rules in the spreadsheet.

One major benefit to using the decision table format is that the rules can be easily modified in the future to accommodate different rule structures.

Drools compiles the spreadsheet based rule data to a native rule format. An example implementation of the compiler can be seen here.

One concern I will get from my security team is that the rule spreadsheet data is user input and all user input should be validated for correctness to ensure that it does not contain malicious data (see here for the rationale for input validation).

Questions:

  1. Is there a security risk that a business user could add malicious data to the rule spreadsheet?
  2. How big/severe is the risk? For example, does the compiler sufficiently validate the user entered data?
  3. How can the risk be mitigated? For example, another party visually verifying the rules in the spreadsheet before deploying the rules to a production environment.
War es hilfreich?

Lösung

Since rules can contain java code, the security risk is actually greater than malicious data. A user can easily insert java code of his choice to access your system.

You can use drools verifier and write your own rules but it will not be possible to eliminate every risk.

Using a third party to verify the rules might work but the person who will do the verifying will need to be a programmer to correctly asses the risk, this will counteract the advantages of using spreadsheets in the first place.

In my opinion, spreadsheets are overrated:

  • There is the inherent security risk you mentioned
  • It is very easy for a non-technical person to modify rule action parts and have a broken XLS file
  • Defining and using lookup tables is a pain.

I would recommend that, once your project becomes stable, ditch the spreadsheets and implement your own user interfaces for decision tables, or embed guvnor into your web application if you use one.

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top