tile server better error/exception handling
tracyhenry opened this issue · 1 comments
backend should not completely shutdown when there is exception occurring during either precomputation or tile requests
Currently, the tile server has to trust the input to the Kyrix compiler. Generally, this is bad juju - security isn't just about hackers but also to protect against user/admin error and "overly clever" developers.
I'm thinking queue these issues as a single big github issue? "enhance security so Kyrix compiler scripts don't have to be trusted by the tile server" - it's actually all pretty straightforward, since you chose reasonable infrastructure. While JavaScript and SQL are very "wide" APIs in fact both were designed with security in mind and both are pretty battle-hardened in practice.
- transforms include raw SQL - must limit the types of calls e.g. no DDL, UPDATE, mutating stored procedures.
- transforms include raw SQL - what user is this executed as? how to ensure SQL doesn't access data it's not supposed to?
- transforms include JavaScript functions - must limit scope of JS to not CRUD data it's not supposed to, incl files in the filesystem, open network connections, etc etc https://stackoverflow.com/questions/20793089/secure-nashorn-js-execution
- transforms include SQL and JS - must limit execution time, RAM, and other resources.