{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 贼婆χ 的问题《How do I secure scripts run using javax.scripting?》','https://www.manongdao.com/q-497456.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using javax.scripting to add support for running arbitrary user-uploaded JavaScripts on the server-side. Obviously I want to secure those scripts!
Rhino, on it's own, has a framework for securing scripts at runtime. The documentation for javax.scripting, however, doesn't mention security, permissions or restricting classes available to the script. So is this just a huge hole in the javax.scripting API that it doesn't offer a framework to secure scripts it executes?
I don't want to use Rhino directly because I originally tried that but had some problems exposing Java instances to the running script. The javax.scripting framework made it (which uses Rhino under the hood) made this trivial and also simplified running scripts in a multi-threaded server.
I would like to white-list Java classes that can be accessed/instantiated within the running script. Can anyone point me to an example or documentation on how to achieve this?
FYI, this is now possible in the new Java 8 implementation of javax.scripting which uses a new engine called Nashorn. See Secure Nashorn JS Execution
http://codeutopia.net/blog/2009/01/02/sandboxing-rhino-in-java/ describes a way to sandbox rhino, and javax.scripting uses Rhino as the JS script engine so you should be able to use the above, though the package names might differ.
It turns out that
javax.scriptingdoes not offer a security framework. After some searching I found a document in Google's cache that suggested trying to use Java'sdoPrivilegedActionframework but after some experimentation, I was unable to get this to prevent the scripts from opening sockets or accessing the filesystem.After I asked this question I discovered it was previously asked here on StackOverflow: How can you run Javascript using Rhino for Java in a sandbox? On that page, it falsely indicates that the Rhino included in the JDK6 has security worked out already. As I indicated, I was able to open sockets and other harmful actions from the script.
In the end I abandoned
javax.scriptingand embedded Rhino directly. By building a customContextFactorythat is also aClassShutterI was able to achieve two results easily:java.lang.*and a select few classes in my server's hierarchy.CodeUtopia (which I can't link to because, as a new user, I'm not allowed to link to multiple pages in a single post; but it's linked in the other StackOverflow post) was valuable in describing the
ClassShutterarchitecture and Rhino's ownContextFactoryAPI page describes how to build a customContextFactory.