Final security improvements: sanitize logging and clarify optimization level

Co-authored-by: nomeguy <85475922+nomeguy@users.noreply.github.com>

Author: Copilot

src/main/java/org/casbin/jcasbin/util/ExpressionEvaluator.java

@@ -80,7 +80,9 @@ public static AviatorEvaluatorInstance configureRestrictedEvaluator(AviatorEvalu
         java.util.Set<com.googlecode.aviator.Feature> restrictedFeatures = java.util.Collections.emptySet();
         aviatorEval.setOption(Options.FEATURE_SET, restrictedFeatures);
 
-        // Use optimized mode for better performance
+        // Use EVAL optimization level: This provides compile-once execution for expressions.
+        // EVAL is the most basic optimization level that compiles expressions without
+        // aggressive optimizations, providing a balance between safety and performance.
         aviatorEval.setOption(Options.OPTIMIZE_LEVEL, com.googlecode.aviator.AviatorEvaluator.EVAL);
 
         return aviatorEval;

src/main/java/org/casbin/jcasbin/util/function/EvalFunc.java

@@ -42,7 +42,9 @@ public AviatorObject call(Map<String, Object> env, AviatorObject arg1) {
             ExpressionEvaluator.validateExpression(eval);
         } catch (IllegalArgumentException e) {
             // Log at ERROR level for security violations to ensure visibility
-            Util.logPrintfError("Security violation - invalid eval expression rejected: {}", e.getMessage());
+            // Do not log the full expression to avoid exposing potentially malicious content
+            Util.logPrintfError("Security violation - invalid eval expression rejected. " +
+                "Expression contains non-standard Casbin operations that are not allowed.");
             // Return false to fail safely rather than throwing, which could break policy evaluation
             return AviatorBoolean.valueOf(false);
         }