Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add maxLoopIterationNumber #672

Closed
wants to merge 1 commit into from

Conversation

freshchen
Copy link
Contributor

Prevent malicious templates from draining CPU resources

@ebussieres
Copy link
Member

ebussieres commented Mar 4, 2024

I don't think we should add this kind of property in core engine. Why do you need this ?

It's developer responsability to protect templates access.

If your templates are shipped with your application code by your developers, your developers can't do more harm this way than what they can already do with malicious code in their Java code.

@freshchen
Copy link
Contributor Author

freshchen commented Mar 4, 2024

Our scenario is LLM Agent. In order to make it more convenient for everyone, try to combine business and LLM capabilities. we provides SaaS services.

Users complete simple processing of registered API tool's result through the template engine. So the template content is provided by the customer's developer or independent software developer

We don’t want their templates to seriously affect the stability of our SaaS service, and we don’t want to introduce complex architectures like FaaS for simple operations.

@ebussieres ebussieres closed this Mar 4, 2024
@ebussieres
Copy link
Member

If you don't control your templates, you're gonna be at risk. Please read this : #625

@freshchen
Copy link
Contributor Author

Thanks for notifying this very useful issue.

In addition, can we refer to the groovy sandbox on the basis of MethodAccessValidator to conduct security risk control on the entire execution process of the template.

Personally, I prefer the implementation of whitelisting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants