We need to make some changes to the io.deephaven.server.table.validation.ColumnExpressionValidator:
- The class/method whitelists need to be configurable on the server
- We need to support package-level whitelisting
- If a user is allowed to run
executeCode() through the API, then the ColumnExpressionValidator should be skipped for their API calls as well. (Otherwise we're just inconveniencing them without providing any security benefit.) As part of this, we should probably also disable the ability to run executeCode() by default. (So locked-down by default, but easy to add to the whitelist or to open up entirely.)
It should also be possible to have different whitelists/permissions depending on the client (e.g. by user for enterprise), but that's potentially a separate issue.
We need to make some changes to the
io.deephaven.server.table.validation.ColumnExpressionValidator:executeCode()through the API, then theColumnExpressionValidatorshould be skipped for their API calls as well. (Otherwise we're just inconveniencing them without providing any security benefit.) As part of this, we should probably also disable the ability to run executeCode() by default. (So locked-down by default, but easy to add to the whitelist or to open up entirely.)It should also be possible to have different whitelists/permissions depending on the client (e.g. by user for enterprise), but that's potentially a separate issue.