I'm currently investigating designing a business solution that uses the drools decision table spreadsheet format (link to jboss drools documentation). A business user would own and maintain the rules in the spreadsheet.
One major benefit to using the decision table format is that the rules can be easily modified in the future to accommodate different rule structures.
Drools compiles the spreadsheet based rule data to a native rule format. An example implementation of the compiler can be seen here.
One concern I will get from my security team is that the rule spreadsheet data is user input and all user input should be validated for correctness to ensure that it does not contain malicious data (see here for the rationale for input validation).
Questions:
- Is there a security risk that a business user could add malicious data to the rule spreadsheet?
- How big/severe is the risk? For example, does the compiler sufficiently validate the user entered data?
- How can the risk be mitigated? For example, another party visually verifying the rules in the spreadsheet before deploying the rules to a production environment.