{"id":22061195,"url":"https://github.com/khaleesicodes/matilda","last_synced_at":"2025-10-11T14:31:49.734Z","repository":{"id":265502120,"uuid":"873564134","full_name":"khaleesicodes/Matilda","owner":"khaleesicodes","description":"Lightweight run-time level sandboxing for java","archived":false,"fork":false,"pushed_at":"2025-02-18T18:46:30.000Z","size":577,"stargazers_count":11,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-18T22:37:46.551Z","etag":null,"topics":["java","jvm","sandboxing","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/khaleesicodes.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-16T11:32:52.000Z","updated_at":"2025-03-02T15:26:05.000Z","dependencies_parsed_at":"2024-12-16T17:23:48.032Z","dependency_job_id":"330c2e2a-55d1-4f81-a328-e178e89f81e5","html_url":"https://github.com/khaleesicodes/Matilda","commit_stats":null,"previous_names":["khaleesicodes/matilda"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/khaleesicodes/Matilda","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/khaleesicodes%2FMatilda","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/khaleesicodes%2FMatilda/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/khaleesicodes%2FMatilda/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/khaleesicodes%2FMatilda/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/khaleesicodes","download_url":"https://codeload.github.com/khaleesicodes/Matilda/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/khaleesicodes%2FMatilda/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279007457,"owners_count":26084313,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java","jvm","sandboxing","security-tools"],"created_at":"2024-11-30T18:09:43.684Z","updated_at":"2025-10-11T14:31:49.438Z","avatar_url":"https://github.com/khaleesicodes.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003e [!WARNING]\n\u003e Matilda is a prototype. Please report any issues and be mindful when using it in production.\n\n# Matilda\nMatilda provides sandboxing capabilities at runtime for the JVM. It is a lightweight alternative to the soon to be deprecated Java Security Manager. You can granuallary block modules from executing System.exit(), System.exec() and Network connections like Socket.open.\n\n\n## Installation\nMatilda uses the [Class File API](https://docs.oracle.com/en/java/javase/23/vm/class-file-api.html) which is a preview feature in JDK 23, in order to run your application with Matilda you need to enable preview.. To use Matilda download the MatildaAgent.jar and the MatildaBootstrap.jar from the repository.\n\n\n# Usage\nMatilda can be used via the CLI or by configuring the projects build file accordingly. \n\n## CLI Quickstart\nMatilda uses the ClassFile API which is a preview feature in JDK 23, in order to run your application with Matilda you need to enable preview.\n```bash\n--enable-preview\n```\nHook the MatildaAgent into your application\n```bash\n-javaagent:/path/to/matilda-agent-\u003cversion\u003e.jar\n```\n\nAdd the MatildaAcceControl to the bootpath. This is needed due to the class loading hirachy. Classes manipulated by the MatildaAgent reference to the MatildaAccessControl.\n```bash\n-Dmatilda.bootstrap.jar=/path/to/matilda-bootstrap-\u003cversion\u003e.jar\"\n```\nNote that Matilda works with a whitelisting approach. With enabling the MatildaAgent, all calls to the above mentioned methods will be blocked by default.\n\nFor gradle examples refer to the [Log4Shell example](https://github.com/khaleesicodes/Matilda/blob/main/Log4Shell_Test/build.gradle)\n\n\n## Configuration\nMatilda comes with a module-based whitelisting approach, permission can be set per module and are enforced accordingly. If your projects does not use modules consider to change it, it is not only needed to use Matilda but also recommenede by the [Secure Coding Guidelines for Java SE](https://www.oracle.com/java/technologies/javase/seccodeguide.html). If you want to understand what modules are and aren't better read this [Blogpost](https://inside.java/2021/09/10/what-are-modules-about/) by Ron Pressler.\n\nConfiguration can also be done via the CLI or build file following the naming scheme:\n```bash\n-Dmatilda.runtime.exit.allow=module \u003cinsert module name here\u003e\n-Dmatilda.system.exec.allow=module \u003cinsert module name here\u003e\n-Dmatilda.network.connect.allow=module \u003cinsert module name here\u003e\n```\n\n\n# POC Log4Shell\nMatilda is a tool that can be used to to reduce the impact of supply chain attacks by setting granular permissions for each module. As an example a proof of concept for Log4Shell can be found in the [Log4Shell_POC](https://github.com/khaleesicodes/Matilda/tree/main/Log4Shell_Test).\n\nIn order to test just clone this repository and run it with gradle\n\nTo run it with the MatildaAgent use the following gradle command, the build should be successful and return \" Matilda has successfully blocked log4shell\"\n```bash\ngradle run\n```\nTo test the exploitable version run the following gradle command. The build should fail and return \"LogForShell was not blocked by matilda\"\n```bash\ngradle runNoAgent\n```\n\n## Configuration Example - tomcat\nIn order to run apache tomcat with Matilda just export CATALINA_OPTS with the following configuration.\n\n```bash\nexport CATALINA_OPTS=\"--enable-preview -javaagent:./path/matilda-agent-\u003cversion\u003e.jar -Dmatilda.bootstrap.jar=./path/matilda-bootstrap-\u003cversion\u003e.jar\"\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkhaleesicodes%2Fmatilda","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkhaleesicodes%2Fmatilda","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkhaleesicodes%2Fmatilda/lists"}