Disabling advanced language features

[kylesull30]

I am evaluating this library for a simple use case of implementing template parameters in a microservice. My use case does not require most of the more advanced language features. For my use case the following are required:

• Variables
• Objects
• Escaping

From a threat modeling standpoint I am concerned about the flexibility allowed by advanced features such as functions, nested conditional expressions, loops, and recursion.

I've reviewed the Safe Runtime, Parser, and Lexer options which allow me to limit the potential threats posed by some of these features but I don't see a way to disable them entirely.

Is there a way to disable some of these features or is work of this type on the backlog?

[xoofx]

Is there a way to disable some of these features or is work of this type on the backlog?

No, but you could create your own derived class from ScriptVisitor, visit the AST, and apply/perform your validation.

If you are looking to disable this entirely at parsing time, that would require code changes, but I'm not sure I would accept such changes (because of the niche aspect that might not fit every cases and might require too much knobs to make it usable).