Running JS code on a server
G W
grwongku at gmail.com
Mon May 1 15:18:02 UTC 2017
Eli,
Have you tried implementing jdk.nashorn.api.scripting.ClassFilter to limit
Class access. Also for resource access, you need to to create wrappers.
e.g. for File access:
function File(f){
this.file = f;
this.delete = function(){
org.sprnkl.server.js.SprnklFile.delete(jsrequestobj,this.file);
return this;
}
this.create = function(dr){
org.sprnkl.server.js.SprnklFile.create(jsrequestobj,this.file);
return this;
}
this.read = function(){
return org.sprnkl.server.js.SprnklFile.read(jsrequestobj,this.file);
}
this.exists = function(){
return org.sprnkl.server.js.SprnklFile.exists(jsrequestobj,this.file);
}
this.length = function(){
return
Math.round(org.sprnkl.server.js.SprnklFile.length(jsrequestobj,this.file));
}
this.list = function(){
return org.sprnkl.server.js.SprnklFile.list(jsrequestobj,this.file);
}
this.isDirectory = function(){
return org.sprnkl.server.js.SprnklFile.isDirectory(jsrequestobj,this.file);
}
this.readString = function(){
var rb = this.read();
var rb2 = [];
for (var ct = 0;ct < rb.length;ct++){
rb2.push(rb[ct]);
}
return String.fromCharCode.apply(String, rb2);
}
this.write = function(b,dr){
if (dr == undefined) dr = true;
org.sprnkl.server.js.SprnklFile.write(jsrequestobj,this.file,b,dr);
return this;
}
this.writeString = function(s,dr){
return this.write(s.getBytes(),dr);
}
}
I have a Framework that is a work in process. Would be happy to share the
code if interested.
Regards
On Mon, May 1, 2017 at 8:55 AM, Jim Laskey (Oracle) <james.laskey at oracle.com
> wrote:
> From: Eliezer Julian <Eliezer.Julian at sapiens.com <mailto:Eliezer.Julian@
> sapiens.com>>
> Subject: Running JS code on a server
> Date: May 1, 2017 at 6:28:05 AM ADT
> To: "nashorn-dev at openjdk.java.net <mailto:nashorn-dev at openjdk.java.net>" <
> nashorn-dev at openjdk.java.net <mailto:nashorn-dev at openjdk.java.net>>
> Cc: Elior Apelbaum <Elior.Apelbaum at sapiens.com <mailto:Elior.Apelbaum@
> sapiens.com>>, Moshe Robinov <Moshe.Robinov at sapiens.com <mailto:
> Moshe.Robinov at sapiens.com>>, Chen Malka <chen.malka at sapiens.com <mailto:
> chen.malka at sapiens.com>>
>
>
> Hi,
>
> I am developing a server side application and would like to add a feature
> that allows a user to submit JS code to be executed via Nashorn. My concern
> is that a user may submit malicious code that may compromise the server. I
> have already limited the script’s access to the bare minimum of Java
> classes, and have implemented a mechanize to kill the script if execution
> time runs over a certain limit. I have also manually removed many of the
> special methods such as print, echo, exit and quit from the Bindings
> object. However, this is extremely limited in scope compared to the damage
> a willfully malicious user may be able to effect via this feature (such as
> allocating too much memory, try to access the file system via the script,
> etc.). I was wondering if the Nashorn development team had any
> recommendations as far as security is concerned, and whether there are any
> plans to add additional security features in the future.
>
> Thanks,
>
> Eli Julian
> Software Developer
> Decision Division
>
> Email: eliezer.julian at sapiens.com <mailto:eliezer.julian at sapiens.com>
> Office: +972-3-7902155
> Mobile: +972-50-3697238
> Skype handle: eli_julian
> Visit us at: www.sapiens.com <http://www.sapiens.com/>
More information about the nashorn-dev
mailing list