The Sandbox

The sandbox has a list of allowed packages/classes. Any attempt to use a class from within a Feather script will throw a compiler error.

For example, the default sandbox doesn't allow use of File or Process, because a malicious 3rd party could use them to delete files. System isn't allowed either, because a call to System.exit would terminate your application.

This isn't a perfect, as it requires quite a bit of vigilance. For example, suppose you have a Document class that is allowed by the sandbox. If you can set the path to the document via a String instead of a File, then it would be easy for a malicious actor to delete any file (by overwriting it with the contents of an empty Document).

It is good practice to split your API into interfaces and implementations, and only add the interfaces to the Sandbox's allow list.

The sandbox is enforced at every method call. So, assuming File is disallowed, then foo().bar().delete() would throw a compile-time error if bar() returns a File. It makes no difference if bar() is part of a Feather script class, or an imported, preexisting Java class. It also makes no difference that the type File is never used within the Feather script.

Summary

The sandbox doesn't prevent actions, it only limits which classes can be referenced directly from the feather scripts.

If you allow a class which can be used to do 'bad' things, then the sandbox offers no protection.

Back to Contents