You're running untrusted code!
Last December, Log4Shell shortened the nights of many people in the JVM world. Worse, using the earthquake analogy caused many aftershocks after the initial quake. I immediately made the connection between Log4Shell and the Security Manager. At first...
frankel.hashnode.dev7 min read
I have been thinking about this exact issue for several months now, or really the better part of 2021.
There is a solution to this. It is quite simple actually, but harder to do for languages that involve compiled modules like Java or C# that are downloaded from public package managers.
You have inspired me to write up the solution and how to implement it in PHP (which I have done for years now), but most PHP implementations are wide open to bad actors. And forget about Java and C# code bases. The security hole is 50 miles wide.
The attack of the 50 mile wide open source supply chain!