Expand description
camel-language-rhai — Rhai script language for Camel Rust.
Main types: RhaiLanguage, RhaiExpression, RhaiPredicate, RhaiMutatingExpression.
Scripts have access to body, headers, header(), set_header(), property(), set_property().
§Resource Limits
Scripts are bounded by configurable limits sourced from [languages.rhai.limits]
in Camel.toml. When absent, the rust-camel runtime defaults apply:
| Limit | Default |
|---|---|
max-operations | 100,000 |
max-string-size | 1 MiB |
max-array-size | 10,000 elements |
max-map-size | 10,000 entries |
max-expression-depth | 64 |
max-function-expression-depth | 32 |
execution-timeout-ms | 5,000 |
Every limit is Option<_>; None means “use rust-camel runtime default” (no
default-lie per ADR-0011).
§Covered threats
- Infinite loops (
loop {}) — tripmax-operationsandexecution-timeout-ms(whichever fires first). - Oversized allocations — strings, arrays, maps each have size caps.
- Pathological nesting — expression and function-expression depths are bounded.
§Timeout caveat
execution-timeout-ms wraps eval_with_scope in tokio::time::timeout +
spawn_blocking. When the timeout fires, the route future resolves to an
error, but the blocking thread may continue executing until the script
trips max-operations or finishes. This is the same partial-mitigation
caveat shared with the Boa engine.
§Sandboxing
Rhai scripts cannot access the host filesystem, network APIs, or Rhai module loading. This sandbox is unconditional — there is no config opt-out.
Two structural layers enforce this:
- Compile time — the Rhai
no_modulecargo feature (see rootCargo.toml) disables module loading across the entire crate graph. - Runtime — engines are built via
Engine::new_raw()plus an explicitStandardPackageregistration. UnlikeEngine::new(), this does not install aFileModuleResolver.
Additionally, eval and import are registered as disabled symbols as
defense in depth (no-op safe if symbols are absent). If a future Rhai
package were to re-introduce module loading or dynamic evaluation, these
symbols would still be blocked to user scripts.
What the sandbox is not:
- It is not a CPU/memory cap. Those are separate resource limits; see rc-bpx.
- It does not block timing APIs (
sleep,timestamp). Those remain part ofStandardPackage; CPU/time-based DoS is covered by rc-bpx resource limits. - It is not a side-channel defense (cache timing, memory layout). Out of scope.
If your integration genuinely needs filesystem or network access from a
route script, use the explicit Camel components (file:, http:) with
their own runtime policies — do not attempt to bypass this sandbox.
§Limitations
- Resource limits (max operations, string/array/map sizes, expression depths) are enforced as denial-of-service protection, not as a sandbox. They are configurable — see # Resource Limits above.
- The
bodyvariable is always a string. Structured access to JSON/XML bodies requires explicit parsing within the script using Rhai’s built-in map/array types.
Structs§
- Rhai
Language - Rhai scripting language for rust-camel.