Ability to restrict built in functions and operators
njdoyle opened this issue · 3 comments
I would like to build expressions with fewer functions and operators than are provided by the builtins. I would like the option to build expressions where I select (whitelist) my own base set of functions and operators instead of being forced to have the builtins available to all expressions.
Just the other day I was thinking about adding such a possibility while working on a similar library. After some thinking I was unable to come up with a use-case which would actually require that the default functions are not available (overwritten/replaced, yes, gone, no). So I'm very curious as to what you're doing and why you require that?
The use case revolves around limiting what's possible with user provided expressions. Some of these builtin functions are slow and are unnecessary for the use case. Slow functions can contribute to DoS attacks. Removing these builtin functions combined with other user input validation/sanitization helps reduce the attack surface. Removing unnecessary functions also helps prevent users from shooting themselves in the foot doing unnecessarily complicated math.
I haven't been looking at it from this angle, very interesting and quite good fuel for thought, thank you.