3

I am sorry if this is an unclear title because I do not know all the terminology, so please bear with me.

So I am trying to create a controlled environment to run any JavaScript code in a Java application. Note: code is created by a user so I have to block/prevent code that is specifically trying to access/modify java variables that are not supposed to be at reach. (preferably by throwing a compile error for user feedback)

Edit 1: By the way I tried to use Rhino and Nashorn.

Here is a simple example.

public class ScriptRunner{
    public Foo foo=new Foo();
    //this is not supposed to be accessed by the script
    public int money=0;

    public Object run(){
        return compiler.compile(STRING START (obtained from a file)

        function main(someObject){
            //this is not allowed
            someObject.money=10000000000000000000000;
            //or this
            var someBlacklistedJavaObject=.....
            someBlacklistedJavaObject.someFuncton();

            //but this is allowed
            someObject.foo.name="Bob";
            return someObject.foo.someFunction();
        }

        STRING END).run("main",this);
    }

}

Also I am not sure if this would be one of the possible solution but I can't use the built in java security class due to some unreachable code implementing it and not allowing to set the security object to anything else.

What comes to my mind is that an easy implementation of this would be to create wrapper Java classes in some package. Than check if a java object in script does not have that path and throw an error. But the problem is that I have no idea how to do that.

Here is a simple visualization of what I am trying to do.

Edit 2: It is desirable to maintain a low Java compatibility profile, but it's not 100% necessary.

Improve this question
2
  • have you look at Nashorn? Commented Jul 19, 2016 at 17:21
  • Yes I did. Everything that I tried just gives me an error that the class from Nashorn does not exist or does not have access to. Commented Jul 19, 2016 at 17:24

1 Answer 1

Reset to default
2

Use a ClassFilter with Nashorn (note: requires Java >= 1.8.0_40)

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks! I didn't know that, but one of desirable traits of my code is that it's low Java version compatible. So I would be greatly thankful if anyone points out any other solution. :) But if there is no other way than I guess this works.
OK, well... Nashorn was only released with Java 8, so if you need to support lower major Java versions you'll have to look at ClassShutter for Rhino - but a quick Google quickly reveals that's not the most robust / secure option.
Thanks. ill do some research on that.
Yeah you are unfortunately right... well thanks for helping me out.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.