Class DefaultSandbox

java.lang.Object
cloud.opencode.base.expression.sandbox.DefaultSandbox
All Implemented Interfaces:
Sandbox
public class DefaultSandbox extends Object implements Sandbox
Default Security Sandbox 默认安全沙箱

Provides configurable security constraints for expression evaluation.

为表达式求值提供可配置的安全约束。

Features | 主要功能:

  • Class-level and package-level allow/deny lists - 类级别和包级别的允许/拒绝列表
  • Method-level allow/deny lists - 方法级别的允许/拒绝列表
  • Configurable expression length, evaluation depth, and time limits - 可配置表达式长度、求值深度和时间限制
  • Preset configurations: permissive, restrictive, standard - 预设配置: 宽松、限制、标准
  • Builder pattern for custom configurations - 构建器模式用于自定义配置

Usage Examples | 使用示例:

// Use standard sandbox
Sandbox sandbox = DefaultSandbox.standard();

// Custom sandbox
Sandbox custom = DefaultSandbox.builder()
    .allowAllByDefault(true)
    .addDeniedClass("java.lang.Runtime")
    .addDeniedMethod("exec")
    .maxEvaluationTime(3000)
    .build();

Security | 安全性:

  • Thread-safe: Yes, immutable after construction with defensive copies - 线程安全: 是,构造后不可变,使用防御性拷贝
  • Null-safe: Yes, null class/method/property returns false - 空值安全: 是,null类/方法/属性返回false
  • Deny takes priority over allow - 拒绝优先于允许
Since:
JDK 25, opencode-base-expression V1.0.0
Author:
Leon Soo www.LeonSoo.com
See Also:

  • Method Details

    • permissive

      public static DefaultSandbox permissive()
      Create a permissive sandbox that allows everything 创建允许所有操作的宽松沙箱
      Returns:
      the permissive sandbox | 宽松沙箱

    • restrictive

      public static DefaultSandbox restrictive()
      Create a restrictive sandbox that denies by default 创建默认拒绝的限制性沙箱
      Returns:
      the restrictive sandbox | 限制性沙箱

    • standard

      public static DefaultSandbox standard()
      Create a standard sandbox with sensible defaults 创建具有合理默认值的标准沙箱
      Returns:
      the standard sandbox | 标准沙箱

    • isClassAllowed

      public boolean isClassAllowed(Class<?> clazz)
      Description copied from interface: Sandbox
      Check if a class is allowed 检查是否允许访问类
      Specified by:
      isClassAllowed in interface Sandbox
      Parameters:
      clazz - the class | 类
      Returns:
      true if allowed | 如果允许返回true

    • isMethodAllowed

      public boolean isMethodAllowed(Object target, Method method)
      Description copied from interface: Sandbox
      Check if a method call is allowed 检查是否允许调用方法
      Specified by:
      isMethodAllowed in interface Sandbox
      Parameters:
      target - the target object | 目标对象
      method - the method | 方法
      Returns:
      true if allowed | 如果允许返回true

    • isPropertyAllowed

      public boolean isPropertyAllowed(Object target, String property)
      Description copied from interface: Sandbox
      Check if a property access is allowed 检查是否允许访问属性
      Specified by:
      isPropertyAllowed in interface Sandbox
      Parameters:
      target - the target object | 目标对象
      property - the property name | 属性名
      Returns:
      true if allowed | 如果允许返回true

    • getMaxExpressionLength

      public int getMaxExpressionLength()
      Description copied from interface: Sandbox
      Get the maximum expression length 获取最大表达式长度
      Specified by:
      getMaxExpressionLength in interface Sandbox
      Returns:
      the max length, -1 for unlimited | 最大长度,-1表示无限

    • getMaxEvaluationDepth

      public int getMaxEvaluationDepth()
      Description copied from interface: Sandbox
      Get the maximum evaluation depth 获取最大求值深度
      Specified by:
      getMaxEvaluationDepth in interface Sandbox
      Returns:
      the max depth, -1 for unlimited | 最大深度,-1表示无限

    • getMaxEvaluationTime

      public long getMaxEvaluationTime()
      Description copied from interface: Sandbox
      Get the maximum evaluation time in milliseconds 获取最大求值时间(毫秒)
      Specified by:
      getMaxEvaluationTime in interface Sandbox
      Returns:
      the max time, -1 for unlimited | 最大时间,-1表示无限

    • builder

      public static DefaultSandbox.Builder builder()
      Create a builder 创建构建器
      Returns:
      the builder | 构建器