Skip to main content

Crate camel_language_rhai

Crate camel_language_rhai 

Source
Expand description

camel-language-rhai — Rhai script language for Camel Rust.

Main types: RhaiLanguage, RhaiExpression, RhaiPredicate, RhaiMutatingExpression. Scripts have access to body, headers, header(), set_header(), property(), set_property().

§Resource Limits

Scripts are bounded by configurable limits sourced from [languages.rhai.limits] in Camel.toml. When absent, the rust-camel runtime defaults apply:

LimitDefault
max-operations100,000
max-string-size1 MiB
max-array-size10,000 elements
max-map-size10,000 entries
max-expression-depth64
max-function-expression-depth32
execution-timeout-ms5,000

Every limit is Option<_>; None means “use rust-camel runtime default” (no default-lie per ADR-0011).

§Covered threats

  • Infinite loops (loop {}) — trip max-operations and execution-timeout-ms (whichever fires first).
  • Oversized allocations — strings, arrays, maps each have size caps.
  • Pathological nesting — expression and function-expression depths are bounded.

§Timeout caveat

execution-timeout-ms wraps eval_with_scope in tokio::time::timeout + spawn_blocking. When the timeout fires, the route future resolves to an error, but the blocking thread may continue executing until the script trips max-operations or finishes. This is the same partial-mitigation caveat shared with the Boa engine.

§Sandboxing

Rhai scripts cannot access the host filesystem, network APIs, or Rhai module loading. This sandbox is unconditional — there is no config opt-out.

Two structural layers enforce this:

  1. Compile time — the Rhai no_module cargo feature (see root Cargo.toml) disables module loading across the entire crate graph.
  2. Runtime — engines are built via Engine::new_raw() plus an explicit StandardPackage registration. Unlike Engine::new(), this does not install a FileModuleResolver.

Additionally, eval and import are registered as disabled symbols as defense in depth (no-op safe if symbols are absent). If a future Rhai package were to re-introduce module loading or dynamic evaluation, these symbols would still be blocked to user scripts.

What the sandbox is not:

  • It is not a CPU/memory cap. Those are separate resource limits; see rc-bpx.
  • It does not block timing APIs (sleep, timestamp). Those remain part of StandardPackage; CPU/time-based DoS is covered by rc-bpx resource limits.
  • It is not a side-channel defense (cache timing, memory layout). Out of scope.

If your integration genuinely needs filesystem or network access from a route script, use the explicit Camel components (file:, http:) with their own runtime policies — do not attempt to bypass this sandbox.

§Limitations

  • Resource limits (max operations, string/array/map sizes, expression depths) are enforced as denial-of-service protection, not as a sandbox. They are configurable — see # Resource Limits above.
  • The body variable is always a string. Structured access to JSON/XML bodies requires explicit parsing within the script using Rhai’s built-in map/array types.

Structs§

RhaiLanguage
Rhai scripting language for rust-camel.