I am using javax.scripting
to add support for running arbitrary user-uploaded JavaScripts on the server-side. Obviously I want to secure those scripts!
Rhi
http://codeutopia.net/blog/2009/01/02/sandboxing-rhino-in-java/ describes a way to sandbox rhino, and javax.scripting uses Rhino as the JS script engine so you should be able to use the above, though the package names might differ.
I’ve been working on a Java app which needed Rhino for scripting. The app would need to run untrusted JavaScript code from 3rd parties, so I had to find a way to block access to all Java methods, except the ones I wanted. This would not be a problem if there was an easy way to disable LiveConnect - the feature of Rhino which provides java access to scripts - but there is no such thing.
However, after a lot of digging around, I finally found a way to do this without too much hacking. In fact, it can be done by just extending a few of the Rhino classes, and using the setters provided to override some of the default ones.
FYI, this is now possible in the new Java 8 implementation of javax.scripting which uses a new engine called Nashorn. See Secure Nashorn JS Execution
It turns out that javax.scripting
does not offer a security framework. After some searching I found a document in Google's cache that suggested trying to use Java's doPrivilegedAction
framework but after some experimentation, I was unable to get this to prevent the scripts from opening sockets or accessing the filesystem.
After I asked this question I discovered it was previously asked here on StackOverflow: How can you run Javascript using Rhino for Java in a sandbox? On that page, it falsely indicates that the Rhino included in the JDK6 has security worked out already. As I indicated, I was able to open sockets and other harmful actions from the script.
In the end I abandoned javax.scripting
and embedded Rhino directly. By building a custom ContextFactory
that is also a ClassShutter
I was able to achieve two results easily:
java.lang.*
and a select few classes in my server's hierarchy.CodeUtopia (which I can't link to because, as a new user, I'm not allowed to link to multiple pages in a single post; but it's linked in the other StackOverflow post) was valuable in describing the ClassShutter
architecture and Rhino's own ContextFactory
API page describes how to build a custom ContextFactory
.