Skip to content

mlovrovich/delight-nashorn-sandbox

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Nashorn Sandbox

A secure sandbox for executing JavaScript in Java apps using the Nashorn engine.

Also see Rhino Sandbox.

Part of the Java Delight Suite.

Build Status

Usage

The sandbox by default blocks access to all Java classes.

Classes, which should be used in JavaScript, must be explicitly allowed.

NashornSandbox sandbox = NashornSandboxes.create();
     
sandbox.allow(File.class);
     
sandbox.eval("var File = Java.type('java.io.File'); File;")

Or you can inject your java object as a JS global variable

NashornSandboxes sandbox = NashornSandboxes.create();

sandbox.inject("fromJava", new Object());

sandbox.eval("fromJava.getClass();");

The sandbox also allows limiting the CPU time and memory usage of scripts. This allows terminating scripts which contain infinite loops and other problematic code.

NashornSandbox sandbox = NashornSandboxes.create();
     
sandbox.setMaxCPUTime(100);
sandbox.setMaxMemory(50*1024);
sandbox.allowNoBraces(false);
sandbox.setMaxPerparedStatements(30); // becouse preparing scipt for execusion is expensive
sandbox.setExecutor(Executors.newSingleThreadExecutor());
     
sandbox.eval("var o={}, i=0; while (true) {o[i++]='abc';};");

This code will raise a ScriptCPUAbuseException.

The sandbox beautifies the JavaScript code for this and injects additional statements into the submitted code. It is thus possible that the original line numbers from the submitted JS code are not preserved. To debug the code, which is generated by the sandbox, activate its debug mode as follows using log4j.properties file:

log4j.logger.delight.nashornsandbox.internal.NashornSandboxImpl=DEBUG

This will output the generated JS on the console as follows:

--- Running JS ---
var \__it = Java.type('delight.nashornsandbox.internal.InterruptTest');var \__if=function(){\__it.test();};
while(true) {__if();
  i = i+1;
}
--- JS END ---

Maven

Just add the following dependency to your projects.

<dependency>
    <groupId>org.javadelight</groupId>
    <artifactId>delight-nashorn-sandbox</artifactId>
    <version>[insert latest version]</version>
</dependency>

This artifact is available on Maven Central and BinTray.

Maven Central

If you are looking for a JAR with all dependencies, you can also download it from here.

Contributors

Eduardo Velasques: API extensions to block/allow Rhino system functions; Capability to block/allow variables after Sandbox has been created.

Marcin Gołębski: Major refactoring and performance improvements. Among other things improved the performance for JS evaluation and better handling of monitoring for threads for possible CPU abuse (#23).

Further Documentation

About

A sandbox for executing JavaScript with Nashorn in Java.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • JavaScript 58.9%
  • Java 41.1%