Running JS code on a server

Tue May 2 05:29:40 UTC 2017

I don't think you need to worry about "exit". If you run your server 
with SecurityManager, then any 'eval'ed script calling "exit" will get a 
SecurityException. Also any sensitive java method call from script (say 
Runtime.loadLibrary or file system access) or sensitive java class 
access (like accessing sun.misc.Unsafe for eg) will be security checked 
as well.

See also: 
https://wiki.openjdk.java.net/display/Nashorn/Nashorn+script+security+permissions

Resource contraints (too much memory) is never part of java security. 
i.e., you can write a simple java (sandboxed) program that allocates 
"too much" memory or creates too many threads and so on. Security checks 
don't attempt to limit those anyway! So, script evaluation does not 
create any additional issue that didn't exist for Java code!.
Implementing resource constraints is very hard.

You can use ClassFilter ( 
https://docs.oracle.com/javase/8/docs/jdk/api/nashorn/jdk/nashorn/api/scripting/ClassFilter.html 
) to avoid access to java.lang.Thread class to avoid script creating 
threads - but then script can call Executor framework to indirectly 
create threads! You may have to prevent access to many java classes to 
script! You can also create nashorn engine with --no-java option - which 
will avoid access to *any* java class /package from script! You've to 
use NashornScriptEngineFactory ( 
https://docs.oracle.com/javase/8/docs/jdk/api/nashorn/jdk/nashorn/api/scripting/NashornScriptEngineFactory.html 
) directly to pass options or ClassFilter to engine created.

Last but not least: If you run your server *without* security manager 
and try to "manually" contain the script by removing "exit" etc, I'm 
afraid that won't work.  Because with java calls script can access many 
things! It is difficult - if not impossible - to find & cover all cases.

-Sundar

On 01/05/17, 6:25 PM, Jim Laskey (Oracle) wrote:
> From: Eliezer Julian<Eliezer.Julian at sapiens.com<mailto:Eliezer.Julian at sapiens.com>>
> Subject: Running JS code on a server
> Date: May 1, 2017 at 6:28:05 AM ADT
> To: "nashorn-dev at openjdk.java.net<mailto:nashorn-dev at openjdk.java.net>"<nashorn-dev at openjdk.java.net<mailto:nashorn-dev at openjdk.java.net>>
> Cc: Elior Apelbaum<Elior.Apelbaum at sapiens.com<mailto:Elior.Apelbaum at sapiens.com>>, Moshe Robinov<Moshe.Robinov at sapiens.com<mailto:Moshe.Robinov at sapiens.com>>, Chen Malka<chen.malka at sapiens.com<mailto:chen.malka at sapiens.com>>
>
>
> Hi,
>
> I am developing a server side application and would like to add a feature that allows a user to submit JS code to be executed via Nashorn. My concern is that a user may submit malicious code that may compromise the server. I have already limited the script’s access to the bare minimum of Java classes, and have implemented a mechanize to kill the script if execution time runs over a certain limit. I have also manually removed many of the special methods such as print, echo, exit and quit from the Bindings object. However, this is extremely limited in scope compared to the damage a willfully malicious user may be able to effect via this feature (such as allocating too much memory, try to access the file system via the script, etc.). I was wondering if the Nashorn development team had any recommendations as far as security is concerned, and whether there are any plans to add additional security features in the future.
>
> Thanks,
>
> Eli Julian
> Software Developer
> Decision Division
>
> Email: eliezer.julian at sapiens.com<mailto:eliezer.julian at sapiens.com>
> Office: +972-3-7902155
> Mobile: +972-50-3697238
> Skype handle: eli_julian
> Visit us at: www.sapiens.com<http://www.sapiens.com/>