Opening Nashorn to the Internet
Tal Liron
tal.liron at threecrickets.com
Sat Nov 9 03:06:29 PST 2013
I know of no general purpose programming language that will let you do this.
JavaScript is "safe" in web browser sandboxes in that it can't steal you
data or format your hard-disk, but it definitely can hang/crash the
browser. In a shared server environment, that's of course disastrous.
Basically, if you let users run a for-loop, you're already done for. And
that's just the tip of the iceberg.
There are several safe templating languages out there, however. Note
that not all of them are! I recommend taking a look at StringTemplate,
which is very well thought out, allowing both power and "safety"
specifically for these kinds of use cases.
On 11/09/2013 06:25 PM, Rod Nim wrote:
> Our app lets our end users write JavaScript via a web interface (Cloud 9's ACE) and submit that code back to the server to be executed in Nashorn.
>
> Does anyone have any perspective on dealing with either accidental or malicious issues such as tight loops and excessive memory allocation?
>
> var outOfMemory = '';
> while (true) {
> outOfMemory += outOfMemory;
> }
>
> Basically the question is "how do I safely open Nashorn scripting to anyone", white hat, or black hat?
>
> Thanks for the help!
>
> Rod
More information about the nashorn-dev
mailing list