Bug #5481
closedcreate subclassed R actor that doesn't allow arbitrary scripts to be run
0%
Description
Create a new version of the R actor that doesn't allow arbitrary code to be run. If we decide to use the R survivorship package, we'll need this.
Updated by Matt Jones over 13 years ago
Note that all this probably needs to be is a subclass of the existing R actor that sets the R code to be run as a constant rather than from a moml property. So from an implementation perspective, there is probably little to be implemented that is new here. This will also allow the actor to take advantage of improvements in the base R actor as those are made.
Updated by Derik Barseghian about 12 years ago
The SP actors that I created that subclass R dynamically compose and set their R script during fire(), with no R code contained in moml, so this injection concern was avoided. So users could change the actor's expression parameter using the SP Settings page, but this would have no effect / get discarded when the pipe was run. In the recent past I added support for hiding parameters from SP users, and hid all params we don't want exposed so they can't even do that anymore.